• Unfound Updates

    Author
    Topic
    #2608547

    I have every setting to delay updates. Nothing automatic. Not even defender which I am notified, select and install.

    This morning I had a number of liloxxxxxxxxxxxxxx folders in temp. This indicates “something” installed while I was sleeping. At 1:54 AM to xx AM. I checked what files were created, modified or accessed then and found a number of etl files in USOShared. Looking at those in text could see it was checking th timing of my tasks, but not much more.

    Any idea what could possibly have run by itself?

    The ONLY thing I find in Event Viewer is this:

    Log Name: Microsoft-Windows-WindowsUpdateClient/Operational
    Source: Microsoft-Windows-WindowsUpdateClient
    Date: 12/5/2023 1:46:33 AM
    Event ID: 26
    Task Category: Windows Update Agent
    Level: Information
    Keywords: Success,Check for Updates
    User: SYSTEM
    Computer: Winten-P51S
    Description:
    Windows Update successfully found 1 updates.
    Event Xml:
    <Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”&gt;
    <System>
    <Provider Name=”Microsoft-Windows-WindowsUpdateClient” Guid=”{945a8954-c147-4acd-923f-40c45405a658}” />
    <EventID>26</EventID>
    <Version>1</Version>
    <Level>4</Level>
    <Task>1</Task>
    <Opcode>11</Opcode>
    <Keywords>0x4000000000000012</Keywords>
    <TimeCreated SystemTime=”2023-12-05T06:46:33.1901943Z” />
    <EventRecordID>70898</EventRecordID>
    <Correlation />
    <Execution ProcessID=”19448″ ThreadID=”7116″ />
    <Channel>Microsoft-Windows-WindowsUpdateClient/Operational</Channel>
    <Computer>Winten-P51S</Computer>
    <Security UserID=”S-1-5-18″ />
    </System>
    <EventData>
    <Data Name=”updateCount”>1</Data>
    <Data Name=”serviceGuid”>{9482f4b4-e343-43b6-b170-9a65bc822c77}</Data>
    </EventData>
    </Event>

    There are two of these at the time the etl files and lilo files were created.

     

    Thanks.

    • This topic was modified 2 months, 3 weeks ago by rebop2020.
    Viewing 7 reply threads
    Author
    Replies
    • #2608550

      Nothing for today under Update History as well.

    • #2608565

      Note the second sentence in Microsoft’s “We’ll ask you to download updates” statement.

      UpdateException

      That’s Microsoft’s “get out of jail” free card to install an update anytime they decide it’s necessary!

      BTW, it “appears” the update might have been for the Windows Update Agent itself.

      • #2608571

        Thanks. This would be the first unapproved update since I have been blocking all – 2 years or more. Could be windows update. Interesting. I wonder if anyone else got something like this recently?

    • #2608580

      Did you try looking in the System log for Source WindowsUpdateClient Event Ids 44, 43 and 19?

    • #2608583

      Yes. There are a bunbch. None at that time and all for Security Updates for Windows Defender. But good thought.

    • #2608626

      You should also check reliability history for Informational events. On my W10 Pro 22H2 systems with Group Policy setting to Notify to download updates, I will still see there one or two daily Defender Security Intelligence updates as well as a random number of updates to Store Apps (e.g. Skype) or Office Click-to-Run updates, etc. When I download and install the monthly updates, of course these will also be listed there.

      HTH. Regards, Phil

    • #2608629

      Thanks. Everything in Reliability are Security Updates which I manually authorized. Nothing else.

      • #2608646

        OK, it sounds as if you have limited or disabled store apps and/or turned off Store updating, which I have not done. However, the GPedit setting of 2 does not stop Defender updates. If I don’t download and install when the update notification appears, it will install sometime later.

        Regards, Phil

    • #2608644

      This morning I had a number of liloxxxxxxxxxxxxxx folders in temp. This indicates “something” installed while I was sleeping.

      What causes you to believe that the presence of these folders in the temp directory indicate that something was installed or that they are related to Windows update?

    • #2608673

      Because 95% of the time something ionstalls it leaves behind an empty lilo folder. For years.There were 7 this morning all at the same time -1:46 AM. Searchinbg for what was created between 1:30 ands 3:30 this nmorning, tons of etls at 1:46 give or take a minute or two. They have some readable content showing they were chacking for  what tasks might be scheduled to run.

      SOMETHING installed something(s) at that time without alerting me. I have not seen that in years. I’d like to know what it was.

      I mentioned that there was nothing new in WU history. I usually have strong clues when it is Edge. but not today. And you saw the log event above SHOWING windows update at that time, but not in history. Seems obvious to me.

    Viewing 7 reply threads
    Reply To: Unfound Updates

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: