TurboTax Installation Starts Windows Update Service!

Topic

New Reply

I’m not sure this belongs in the security advisories section, but I couldn’t see a better place to put it… Woody, you can move it or make a blog post out of it if you want.

On my Windows 8.1 workstation I have several layers of protection in place to prevent Microsoft from auto-updating my systems when they want to. These include:

• Automatic Updates configured to be Disabled in gpedit.msc.
• Windows Update set via the control panel to “Never check for updates (not recommended)”.
• Windows Update service (wuauserv) Disabled using Services.msc.
• I have Disabled all the scheduled tasks in the WindowsUpdate section of the Task Scheduler.
• I run Sphinx Windows Firewall Control software and have it set to only allow contact with sites like fe2.update.microsoft.com and other Microsoft update servers via reconfiguration when *I* choose to apply updates.

Yet with all that this morning I found, unexpectedly, wuauserv running and trying repeatedly to contact fe2.update.microsoft.com. The Sphinx Windows Firewall Control software I run was blocking all attempts, thus preserving my control over my system. In fact it was the firewall software’s on-screen pop-up that alerted me. The firewall’s log shows that the contact attempts started just after 3 am.

This is exactly the kind of extra protection I have Sphinx Windows Firewall Control for. And it shows that multiple levels of protection to accomplish one’s goal of retaining control over one’s own system can actually be necessary.

As to how the Windows Update service got started…

I installed TurboTax 2016 yesterday, so as to facilitate my preparing our US tax return. The install left its “Intuit Update Service v4” running. Could it also have initiated wuauserv? You wouldn’t think so, since they’re a separate company from Microsoft…

However, my System event log shows conclusively that the Windows Update service was changed from Disabled to Demand Start, wuauserv was Started, then the service configuration changed back to Disabled – right at the time I installed TurboTax as indicated in the Application event log!

This is the first time I’ve ever seen the installation of an application initiate the Windows Update service, even when the service is marked Disabled!

Two things:

1. Shame on Intuit for having the TurboTax software start the Windows Update service EVEN WHEN IT HAS BEEN DISABLED BY THE USER.
2. Props to the authors of Sphinx Windows Firewall Control for providing an additional layer of protection against unexpected/unwanted communications!

-Noel

3 users thanked author for this post.

Elly, ch100, satrow

Reply | Quote

Replies

That’s a good head up Noel!

As a rule I usually set Intuit to manual update only after installing.  I do this with most programs because I don’t like things to automatically go out and update.  I like to know when something changes.

Although I do have few other items that seem to be able to outsmart me, that do not have options for update settings, and need to be able to connect to the net or else it breaks them.

With things like web browsers or Dropbox updating, it would seem to be OK to allow automatic product updates, because any potential damage should probably be limited to that product.

But it seems to be a trend with some current security programs to grab product updates automatically, without user intervention.  It’s annoying to suddenly get a popup “reboot now to complete update”, or something like that.  I’m looking at you Avira!!!

Windows 10 Pro 22H2

Reply | Quote

This company which develops TurboTax is only responsible for their users’ security, although they should have asked for user approval in the installation process or when starting the application. Changing system wide settings without such approval is not acceptable. If they consider Windows Update service essential for their software, they could have blocked the installation or the running of the software if the service was not started, but not change it without user consent.

And now some background and speculation about why they did this, possible with Microsoft’s blessing.

A system with the Windows Update service changed is not supported in the Microsoft sense, although there are recommendations in this sense from reputable companies which develop virtualised products like Citrix and VMWare and this is one of the recommendations for virtual machines running desktop OS  (VDI) to reduce resources in use.

The officially supported methods to disable Windows Update (not the service) are the regular GUI and the configuration of the Group Policies.

Anything else beyond that is done only by experts who go beyond the official recommendations and such configurations are never guaranteed to last after any system change.

 

Reply | Quote

ch100 wrote:

they should have asked for user approval in the installation process or when starting the application. Changing system wide settings without such approval is not acceptable.

Yes, especially since they clearly derived that it was disabled, evidenced by their enabling it, starting it, then disabling it again (all shown clearly in the event log).

I presume they took automatic action because they want to make their software accessible to technically challenged users, but no way could it ever be considered appropriate for them to start a service that’s specifically been disabled. A pop-up stating the TurboTax update is unable to complete because the Windows Update service is disabled would be fine. A [Start it] button could even be provided if they didn’t want to have to take service calls on that pop-up.

The officially supported methods to disable Windows Update (not the service) are the regular GUI and the configuration of the Group Policies.

About that… I have done so, yet when the service ended up started it STILL tried to contact Microsoft. If these “officially supported” methods are ineffective whenever Microsoft chooses not to obey user settings, then what good are they?

Microsoft has most certainly blurred the line between “resilient and helpful operating system” and “malware”.

-Noel

1 user thanked author for this post.

Elly

Reply | Quote

I think the current versions of Windows are not designed to be used offline, at least not in normal configurations.
There are highly secure environments with special requirements which are configured in that way, but they have expensive support agreements with Microsoft, elaborate Change Management processes and in general spend big money to keep those environments customised and not changed to suit their purpose.
I don’t really understand why you need to control all the communication with the internet so tightly, because it is very likely that this would cause a lot of problems and extra time spent for little benefit.

Reply | Quote

Thing is, I’m really not seeing a lot of problems. My systems just work.

The devil is in the details, and I have the details under good control. 🙂

If you can identify specific issues with specific subsystems that you think will be problematic, I’ll be glad to describe how they work for me. I don’t claim to use all of what Windows can do, but of what I do use I don’t accept troublesome behavior.

-Noel

Reply | Quote