Recently in WSUS Category

I have spent all day patching servers, workstations and trying to find a direct download for the 958644 patch that got released last night. I was amazed when Microsoft even called us to join in a webconference for Microsoft partners about this patch - that is something new.
I was not so pleased when I called PSS to ask for a direct download to the patch as kb958644 does not have direct links, windows update services was timing out and the catalog website is badly broken. PSS informed me that as it was not a hotfix they could not provide me with the file and there was an 8-12 hour delay on callback from the server team. So instead I've been configuring wsus for servers (that were not already configured), approving patches and downloading by visiting windows updates - a VERY time consuming.
Anyway, without wasting more time - here are the download locations - I'd grab them before the server falls over too.

• xp


• w2k3


• xp/w2k3 64 bit


• Windows 2000

Thanks to Larry and Derek for the help in finding these.

So Microsoft update a patch today to do with Adobe flash player and I quote "Caveats: This bulletin is for customers using Macromedia Flash Player version 6 from Adobe. Customers that have followed the guidance in Adobe Security Bulletin APSB06-11, issued September 12, 2006, are not at risk from these vulnerabilities. Vulnerable versions of Macromedia Flash Player from Adobe are redistributed with Microsoft Windows XP Service Pack 2, Microsoft Windows XP Service Pack 3, and Microsoft Windows XP Professional x64 Edition."

Now XP sp3 has only been out a couple of weeks, if that, Adobe released their bulleting in September 2006 so how on earth is WindowsXP sp3 vulnerable - surely flash should have been updated in the xpsp3 release! This seems to make a mockery of the security focus that Microsoft are meant to be working hard on and coming on the heels of the recent snafu's with Windows updates and genuine advantage, it's no wonder people are not very happy with patching.

I had a client pc that was not updating with Windows Updates in our WSUS server. Looking through the logs I was receiving the error "FATAL: WUAutoUpdateAtShutdown failed, hr=80240FFF". On looking through the services, the automatic updates service was missing. Running regsvr32 wuaueng.dll added the service back in but I was unable to start the service with the message "Error 1083: The executable program that this service is configured to run does not implement the service""
I also found that I was unable to start the BITS service. Googling on that came up with the Helpsvc fix application that fixes errors with the help and support service. Downloading and running this application, although seemingly unrelated to my problem fixed both BITS and Windows Updates on the machine. Thanks to the newsgroup posting by Greg Kirkpatrick

One of my WSUS boxes had a log file in the C:\Program Files\Update Services\LogFiles directory that was 60MB big - normally these are deleted by WSUS itself, with a backup copy of the previous log kept as SoftwareDistribution.log.old. However the permissions on the folder were set such that Network Service (which WSUS runs under) did not have permissions to create new files in the directory. As it could not create files, it was unable to move the existing file to .old and create a new logfile to start writing entries in. By granting Network Service change permissions to the C:\Program Files\Update Services\LogFiles directory and then restarting the Update Services directory, the SoftwareDistribution.log file was renamed to .old and a new file created. Inspiration for this was found at EventID

I noticed that client machines hadn't been checking into some of the WSUS servers since the server was upgraded to version 3. Checking the log files of the desktop pc's had errors such as "Reporter failed to upload events with hr = 80244016"
After a bit of digging and looking at the IIS console, I noticed that the wsus directories were now listening on port 8530 instead of the normal port 80. To fix this I changed the Group Policy setting "Set the intranet update service for detecting updates" and "Set the intranet statistics server" to read http://servername:8530 instead of http://servername, ran gpupdate on the desktop, restarted Automatic Update service, dropped to a command prompt and ran "wuauclt /detectnow" to ensure the desktop checked in *now* rather than later on.

Looks like the problem that I mentioned earlier with iisworker crashing happens every 29 hours. Cecil on the wsus newsgroups has asked for logs from people who have this problem. I've contacted him to ask where to send the logs to. I'm going to apply the registry changes in 918041 to see if this fixes my problem.

Fixed! One of my servers has been failing to backup with the error "0xe00084af The directory or file was not found, or could not be accessed. Final error category: Job Errors. For additional information refer to link V-79-57344-33967" I spent ages troubleshooting the errors and trying to work out what was going on and found that it would fail to backup any file on the local hard disk of the machine.
I posted a note in the symantec forums and didn't hear anything back, but did find a post that upgrading to 10d might fix it (not a current solution as this would mean purchasing an upgrade of the software for the exchange agent and the exchange agent is currently working)
The other solution was to stop SQL servers on the box. This server was the WSUS box and I had also recently upgraded it to version 3 of WSUS. This created (at least) two new services - SQL Server VSS Writer and Windows Internal Database (Microsoft ##SSEE). Through trial and error I discovered that stopping the SQL Server VSS Writer service meant the backup would work, which is weird as why this should affect me backing up something like c:\jobs\fred.bat which has nothing to do with SQLI don't know.
I'm hoping that my forum posting about the problem will get a better solution but for now I'm just pleased to be able to backup my file server.

On the two boxes that I've upgraded to WSUS version 3 this week I have received errors with the IIS Worker process crashing. One of the boxes has DEP intervening with the process and the other box just comes up with a message asking me to send the data to Microsoft.
Eventvwr shows event 1009, Source W3SVC with the error message being "A process serving application pool 'WsusPool' terminated unexpectedly. The process id was '4652'. The process exit code was '0xc0000005'."
The DEP error states "To help protect your computer, Windows has closed this program",

Name: IIS Worker Process. Clicking on Change Settings gives me the DEP Screen,

which shows the IIS Worker process already allowed. Clicking close then offers to send a report to Microsoft (again). Oddly enough, the mmc console seems to work ok when launched so at the moment I'm not sure what is causing it. Seems too much of a coincidence for it NOT to be wsus3 though.
Not had too much time to look at the main cause for this - it could be due to the fact that the pc's haven't been rebooted since the install (and may need .net patches installed)

WSUS3 is out. I'm probably going to install it on a site where version2 isn't working properly due to the dreaded selfupdatetree problem (and yes I have run the vbs script to patch it)

Had a customer whose wsus box wouldn't download updates from microsoft with event id 364 - Content download failed. Reason: Access is denied. Source File < snip > destination File: d:\wsus\wsuscontent......
It looks like the permissions on the root of d: (in this case) are not correct - Network Service needs read access - unfortunately Network Service does not appear in the list of users to add to the drive (and you can't right click d: to assign permissions).
Fortunately by using cacls you can change permissions - note that cacls is very powerful and you need to understand what you are doing before running this - take it from me, cacls going wrong can really mess with your system and your sanity and your job security!

If you are still with me, you need to do the following:
From a dos prompt:-
d:
cd\
calcs . <--- this provides you with the current state before you change it
cacls . /e /g "NT AUTHORITY\NETWORK SERVICE":r
cacls .

Then in wsus console, double click a client that needs an update, click on the status, click on an update that has failed. Click retry download. Look at the eventvwr and you should see event id 361 - Content synchronization started. A quick glance back at your wsus homepage should show the files being downloaded.

I can't remember why I needed this at the moment (I am going through some emails I sent to myself to blog), but there is information about how to fix the 0x80070003 errors when synching with Windows Update Services.

If you get a message "System.IO.FileNotFoundException: File or Assembly name xxxxxx.dll, or one of its dependencies, was not found" where xxxx is a random name then you need to add the Network Service account change permissions on %systemroot%\Temp as per the readme for wsus

After changing my default outlook login setup on a mail server, I realised that the SUS server was complaining that the SelfUpdateTree was not working. Fix in extended entry.

kb article 909444 has how to fix the issues that may arise when you install Microsoft Security Bulletin MS05-051: Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400). Although I've not had any of these issues - yet - this will be good reference for me.

Patch Management.org looks like a good resource of keeping up to date with the Windows updates and seeing if other people are adversely affected with the latest windows patches.
I must admit to being pretty cautious about all the patches that came out this week as they seem to affect major parts of the network, however it looks like there are exploits going around for some of the unpatched machines already

There is a great tool from Microsoft to troubleshoot SUS installations from the client. From my experience it tells you fairly quickly where the problem lies.
Download from this location with the Readme. These are linked (at the moment) from the wsus support page which also contains a link to the server version of this tool (which I've not tried yet)
A good set of results can be found in the extended entry.

Seeing as though its been a long time since i've done much work with Group Policies, it took me a long time to work out why the policy for disabling Windows Updates within IE and the start menu would not work, yet the settings for telling where the client should go to get its updates did work.
Eventually I read a website which tipped me off and is actually obvious when you think about it. I had created an OU and moved computers into it, but I hadn't added the users to the OU. Therefore only the computer configs were amended but not the users.
Now that I've done it correctly, WUS seems to be working pretty well (apart from one machine that thinks it needs to download .net framework 1.0 patches when in actual fact it needs to download 1.1 patches.

Tried to uninstall SUS on one of the servers at work and came up with the error message "could not set file security for c:\config.msi" as part of the install. This is fixed by stopping the installation and then creating config.msi on the root of c:\ and granting everyone full control. Restarting the uninstallation and it works fine.

I installed Windows Update Services on a new server this morning (the old sus server did not have the free disk space or software requirements) and I edited group policy on my laptop to make my machine talk to the new server. However when I then tried to use group policy on the servers I got a "string is too long" when editing the policies. This is a known bug and is fixed by installing an update kb842933 (which needed a reboot)

Not having that much internet access and the time to blog, I've quickly gone through my feeds and pulled a couple of things out of them

• A WUS Wiki which sounds like a bad day for Jonathan Ross, but is actually a wiki for the new Windows Update Services.


• Links to video's of the Tsunami. This hit whilst we were on holiday and I never got to see any moving pictures of the wave itself - saw plenty of horrific news photos of the devastation afterwards though.


• I removed Norton AntiVirus off the home computer as the subscription had run out and I'm not impressed with the number of infections that have gotten past it this year. Instead I've tried the free home edition of Avast's Antivir software which looks ok. It certainly picked up on eicar when I downloaded it - will be interesting to see how it copes with email borne virus's

I registered for the beta of Windows Update Services today. This is the successor to the OS only patching tool and will also include patches for office etc. Not sure whether I will get a chance to deploy it here as they want to minimise network changes (and we're doing enough interruption as it is) but we'll see. I may even deploy it at home for updating friends pc's quickly.

Some useful SUS Perl scripts for checking the status of your sus server and clients.

Funtime Franky blogs about MS reveals Windows Update v5 which is interesting reading. Apparently I'm meant to be on the beta team but I've not heard anything from Microsoft since February. Note that you can't go to the website if you are not running Internet Explorer 5 or above (well you can if you change the user agent in Firefox)

Jeremy is blogging his Setting Up Software Update Services in a Non-Active Directory Environment experiences and includes some useful scripts to check everything is setup correctly.

According to Microsoft Watch, Software Update Services has been renamed "Windows Update Services" and the newest beta is on its way to testers (ie me). I've not had any notification from Microsoft about this but it will be interesting to see how different it is.

From an email I received this week - "We're very close to finalizing the plan for the SUS 2.0 beta program. Once final decisions are made, customers chosen to be part of the beta will be notified at the e-mail alias provided in their nomination.
In addition, in response to the tremendous interest in SUS 2.0, we will announce an evaluation program where you will be invited to participate if you are not chosen. Under the evaluation program, you will be able to download and install beta code. Details of this program will be sent to this alias as well as the newsgroups in mid to late March.
We look forward to working with each of you to make SUS 2.0 a tremendous success. If you have questions regarding the SUS 2.0 Beta program please contact us at sus2beta@microsoft.com"

Incidentally, the reason why I've only just installed the patch, several days after it was made available is because last week I cleaned up the disk space used on our SUS server and one of the things I (mistakenly) did was to select what I thought was all the urlscan log files, but actually included urlscan.ini. This didn't stop urlscan working - it just blocked practically every request as GET was not on the list of allowed verbs (as this list didn't exist). It was only when I realised that the patch hadn't been installed yet that I realised this was the culprit.

Microsoft sent me an email the other day saying that their Software Update Services beta program has been delayed and the *plan* won't be finalized until January 2004. So goodness knows when it's actually going to commence. At least this way they won't need to worry about supporting Win98 (which they didn't in the previous version either - but now they have a REAL excuse not to)

A useful utility that can be used in conjunction with Microsoft Systems Update Server. If you have a pc that needs installing (or patching) but isn't normally on the lan, then this utility forces the client to update against a named sus server, apply the patches and then on reboot sets it back to use Microsoft's servers. Excellent for patching friends pc's or remote worker pc's who are not normally on the lan and are WAY out of date.