Methods for stopping Windows 10 updates that work on all editions and builds

Topic

New Reply

I’ve been looking for methods for stopping and starting Windows updates (not including those mentioned in Woody’s latest method for controlling Windows 10 updates) that might work on all editions and builds of Windows 10. I’m leery of using a metered connection because of its cons and also alleged bugs.

I’ll list each method in a separate post. I haven’t tried any of these methods (I don’t have Windows 10 installed at home yet) but I believe these methods might have merit. These methods might work in conjunction with Windows Update MiniTool or Microsoft’s wushowhide to control which updates are installed.

4 users thanked author for this post.

Schnarph, Elly, Cybertooth, woody

Reply | Quote

Replies

Windows Update Blocker

1 user thanked author for this post.

Fred

Reply | Quote

Windows 10 Update Switch

This program alters permissions to stop Windows or other programs from reenabling Windows Update.

1 user thanked author for this post.

Fred

Reply | Quote

Windows 10 Updater Disabler

Reply | Quote

Another program that perhaps can be used in conjunction with these programs: Portable Update.

Reply | Quote

I figured out a potential method of stopping Windows 10 from storing downloaded updates. It involves denying the system permission to write to the folder where Windows stores downloaded updates (\windows\softwaredistribution\download). I tested that it stops the storing of downloaded automatic updates and manual updates on Windows 7.

 

To deny the system permission to write to the folder where Windows stores downloaded updates:

Method 1: Do steps 5 to 10 at http://www.c-amie.co.uk/technical/windows-10-blocking-auto-driver-updates/.

Method 2: Batch file https://pastebin.com/V46VLfh9.

 

To allow the system permission to write to the folder where Windows stores downloaded updates:

Method 1: Do steps 5, 6, 7, 8, 16, and 10 at http://www.c-amie.co.uk/technical/windows-10-blocking-auto-driver-updates/.

Method 2: Batch file https://pastebin.com/rKeQL4kH.

Reply | Quote

An advantage of this method over disabling the Windows Update service is that it might be possible to hide updates with wushowhide while denying the system write access to \windows\softwaredistribution\download folder. This needs to be tested. If it works, then this method could be part of a nearly airtight method for controlling Windows updates:

1. Normally we’ll deny the system write access to \windows\softwaredistribution\download folder. Windows updates cannot be downloaded successfully during this state.

2. We’ll continue to deny the system write access to \windows\softwaredistribution\download folder while using wushowhide to hide unwanted available Windows updates. Windows updates cannot be downloaded successfully during this state.

3. Immediately after finishing step 2, we’ll allow the system write access to \windows\softwaredistribution\download folder and then run Windows Update. Windows updates (including possibly automatic updates) can be downloaded successfully during this state, but since we just completed step 2 recently, there shouldn’t be any unwanted updates downloaded (unless Microsoft made new updates available between step 2 and 3).

4. Immediately after finishing step 3, we’ll again deny the system write access to \windows\softwaredistribution\download folder. Windows updates cannot be downloaded successfully during this state.

Your thoughts on this?

Reply | Quote

This method works with Windows 10 x64 Home edition build 15063.0, and wushowhide hides and unhides updates while using this method.

1 user thanked author for this post.

Elly

Reply | Quote

This method looks promising (I haven’t tried it): Allow only manual updates on Windows 10.

Reply | Quote

Step 6 of “Disable automatic updates” might fail on non-English Windows. A replacement that might work even on non-English Windows (copied from http://www.nsaneforums.com/topic/307985-wumt-wrapper-script-224-223/):

icacls "%WINDIR%\System32\UsoClient.exe" /inheritance:r /remove *S-1-5-32-544 *S-1-5-11 *S-1-5-32-545 *S-1-5-18

 

Reply | Quote

From Command Line Equivalent of wuauclt in Windows 10 / Windows Server 2016: “On using Sysinternal’s Strings on UsoClient.exe, I found that there are more switches which can be used”

Reply | Quote

I noticed that the script at http://www.nsaneforums.com/topic/307985-wumt-wrapper-script-224-223/ also renames folder %ProgramFiles%\rempl. I think this might be needed because remsh.exe, which is in that folder, might periodically reset the permissions on usoclient.exe.

Reply | Quote

Image File Execution Options debugger registry method

Reply | Quote

From RebootBlocker: block automatic reboots on Windows 10:

“RebootBlocker is a free program that blocks the automatic reboot of Windows 10 devices effectively. The program makes use of the new active hours feature that Microsoft introduced with the release of  the Windows 10 Anniversary Update.

[…]

RebootBlocker takes the feature, and modifies it by adjusting the time period of Active Hours each hour. Basically, what happens is that Active Hours are always active on the PC as the period changes automatically while the PC is running.

The program achieves that by installing a service on the Windows machine that handles the changing of the time period of the Active Hours feature automatically.

Please note that RebootBlocker is only compatible with Windows 10 Anniversary Update version, and newer versions of Windows such as the Creators Update version. Installations on unsupported versions of Windows are cancelled automatically.”

Reply | Quote

WUMT Wrapper Script (discussion)

Reply | Quote

AveYo’s scripts (these have been changing often recently)

1 user thanked author for this post.

Schnarph

Reply | Quote

Re: AveYo’s: I thought those looked familiar: the installs_toggle script is the current version of pastebin script from the image file execution option debugger methods link. One interesting note: you can upgrade Win10 from an .iso and have those settings stick, as I found when I went to manually run the latest servicing stack and cumulative update for 1709 that I had already manually downloaded after just finishing upgrading to 1709 with the installs_toggle script active (I had the patches downloaded during the long time it took to get my PC ready to upgrade, due to my customizations, going back to work, and storm fronts – at least my housemate’s only takes half a day of prep plus backup time to get ready…). The upgrade went fine, the patches didn’t until I thought to run the script and see what the current status was showing.

Reply | Quote

I had the same results during testing: the Image File Execution Options used by the Image File Execution Options debugger registry method were not altered during either quality updates or feature updates.

Reply | Quote

I had to do a fresh Windows 10 Pro install for a new motherboard 2 weeks ago. Went with 1703 for this one, after installing drivers & programs, a full image backup, I manually installed all updates up to March (kb4088891). Using any/all windows GUI settings for delaying updates/upgrades/metered connection/etc. A first for me this time, Windows Defender and NO 3rd party anti-virus.

Next up was O&OShutup10 and WUMT Wrapper Script (both of which I’ve been using for months), and going online for the first time. Everything seemed fine for about a week, then mpcmdrun.exe (Windows Defender) starts downloading 130-135MB daily for 5 days until I found the culprit with Nirsoft NetworkUsageView. I only get 450MB internet/day, that’s close to a third for just one PC. For good reason, there is no reasonable way to stop WD downloads without going offline so I had to go for 3rd party AV (Avast Free).

I can say WUMT does exactly what it’s supposed to, but if the overall intent is total control over MS downloading then Defender gets the axe. That was totally weird behavior for Defender, could O&OShutup10 and/or WUMT Wrapper Script be to blame?

2 users thanked author for this post.

MrBrian, Fred

Reply | Quote

Hi Schnarph. You certainly did a lot of effort to control the new installation. I too have the experience that Micro$oft wishes to know and scan the contents of computers. I do not use any of MS protect  and try to control the snooping stuff, but not to a complete succes I think; but like Zuckerberg….. MS total data hunger seems unstopable.
Perhaps there comes a time in the near future that Linux Mint -or so- will be the better and more secure operating system.
greetings

Edit ti remove HTML. Please use the “text” tab in the entry box when you copy/paste

* _ the metaverse is poisonous _ *

Reply | Quote

Probably unrelated, but this new build had one of two sticks of ram go bad causing all sorts of issues for a couple of days until I found the source of the problem. After getting new ram, I also reverted changes made by O&O Shutup10, uninstalled Avast free AV, and upgraded to fully updated 1709. I still use WUMT Wrapper Script, but now with only Defender as my AV the large daily downloads have stopped.

Since I made all these changes at the same time (very unscientific), the cause of large Defender daily downloads is a mystery. WUMT Wrapper Script has Defender platform and definition updates listed, as if it should stop them until asked, so what was the 130-150MB daily downloading all about? Maybe it was caused by one of the “recommended” O&O Shutup10 settings? I don’t know, but all has been well now for the last week. Without O&O, Windows 10 telemetry/spying is in full swing but doesn’t seem to use any more internet than Windows 7 on another machine here.

Reply | Quote

Thanks for the list

although i never needed to go so aggressive to stop W10 auto WU 🙂

Reply | Quote

There is one minor glitch with WUMT Wrapper Script, it causes sfc/scannow to report corrupt files that cannot be fixed. The CBS.log reports that it cannot check UsoClient.exe, WaaSMedic.exe, or SIHClient.exe. The script stops these services to block updates, and when the included Uninstaller.cmd is run sfc/scannow reports no “integrity violations”.

The included _readme.txt explains which services get disabled, but says nothing about causing sfc errors. If it wasn’t for a bad stick of RAM I probably wouldn’t have run sfc to discover this non-issue.

2 users thanked author for this post.

Elly, MrBrian

Reply | Quote

Oops, that last post was me.

1 user thanked author for this post.

Elly

Reply | Quote

Thank you for the info :).

I’m not surprised by this because the method that WUMT Wrapper Script uses stops all access (even read access) to those files.

I would not expect use of the Image File Execution Options debugger registry method to have issues such as this.

1 user thanked author for this post.

Schnarph

Reply | Quote

I did read this thread before posting, but having used WUMT and WUB then graduating to the WUMT Wrapper Script before trying anything like “Image File Execution Options debugger registry method”, I can’t make an objective comparison. Besides the sfc false red flag, I find the WUMT Wrapper Script to be very simple to use without requiring changes to any other Windows settings be it metered connections, GP edits, etc. Disclaimer: 10 Pro update settings advanced options are Semi Annual Channel, 365 days, and 0 days quality update. I didn’t change anything in the script, WUB, or WUMT, but daily checks show that it is blocking Defender updates until confirmed which could produce security holes for those that don’t stay vigilant. IMO there’s nothing like total control over WU, so the pros outweigh the cons.

Since this thread is all about controlling Windows 10 updates, is there any consensus on a preferred method? With 1803 coming very soon, blocking updates is a hot topic.

1 user thanked author for this post.

MrBrian

Reply | Quote

I don’t know if there’s a consensus, but I personally plan to use the Image File Execution Options debugger registry method. I need to work on it more….

1 user thanked author for this post.

Schnarph

Reply | Quote

Belated reply, but I can confirm that the image file execution options debugger method does not lead to any errors when running sfc /scannow on any files, including the ones that are blocked from running. Running the AveYo script of choice, since they all invoke that method, plus metered connections is right now my paranoid choice for when I do have to actually use my personal PCs at home, until I’m ready to install updates via WUMT.

2 users thanked author for this post.

Schnarph, MrBrian

Reply | Quote

After updating my Z370 UEFI/BIOS to the latest version, I reverted the changes made by WUMT Wrapper Script using the included uninstaller script. I’ve switched over to the most recent windows_update_installs_toggle.bat, AKA “Image File Execution Options debugger registry method”, and WUMT or manual WU check for updates. This does function the same but does not throw sfc/scannow errors, as expected. One potential benefit, the WUMT Wrapper Script was blocking everything including defender updates requiring daily checks with the WUminitool, while the windows_update_installs_toggle.bat allows Defender updates without intervention.

Another possible problem with either method, I’m getting the same warnings from event viewer daily or on every boot for event 200, 201, and 202. These are all DeviceSetupManager complaining that it can’t connect to the internet, so I get these same warnings on offline computers with no WU blocking scripts. Maybe it’s my super slow ISP @250KBps/1,000ms ping at best?

Could anyone using an AveYo script check your event viewer for similar warnings? It’s all false flags causing no harm, but isolating the cause would be helpful. TIA

1 user thanked author for this post.

MrBrian

Reply | Quote

6/22/18- Update to ver.2.3.7 of WUMT Wrapper Script (actually a few version updates over the past weeks/months):

I can’t see all the comments regarding version behavior changes of this script without a “My Digital Life” forum account, required to view most comments by the author pf100. I can confirm that it still causes “sfc /scannow” to report corrupt files that it cannot fix, even when doing the sfc after “DISM.exe /Online /Cleanup-image /Restorehealth” (which completes successfully).  The script still works to block updates, but if a user has other Windows issues and tries sfc then the search through log files is obviously [an annoyance].

I’m sticking with windows_update_installs_toggle.bat for a clean sfc report. It still works great combined with WindowsUpdateMiniTool.

Reply | Quote

I saw this recent article from Windows Central web site:
https://www.windowscentral.com/how-stop-updates-installing-automatically-windows-10
not sure how effective the tips in that article will be.

Reply | Quote