Karlston Posted December 6, 2018 Share Posted December 6, 2018 Killing Windows Update on Windows 10 - a cheat sheet Comments on this article are at askwoody.com. Microsoft can not conceive of a valid reason for a Windows 10 user not to want the latest bug fixes. Bug fixes good, is their corporate mantra. They are, however, wrong. Not only are there many instances where stability trumps patches, they have shown over and over again that their patches are not to be trusted. Just this week, Windows 10 bug fixes caused the Surface Book 2 to crash. My recent blog Defending against Windows 10 bug fixes discussed many options for postponing bug fixes but none, other than keeping the computer off-line, are foolproof. The most interesting section of that very long blog is A full frontal attack on Windows Update. This is a simplified, cheat sheet, version of that section. Back on Windows 7, it was so much easier to disable Windows Update, there was just one service to worry about. Those were the good old days. With Windows 10, there are three aspects to disabling Windows Update: shutting down multiple Services, disabling many Scheduled Tasks and preventing the parts of Windows Update that can not be shut down from phoning home. Microsoft has limited the first two options, some services and started tasks can not be disabled, even by Administrative users. And, like the Walking Dead, some services and tasks that we can disable, get re-enabled over time. This is not well worn territory, and I am no expert on Windows Update. Every Windows Service and Scheduled Task referred to below is not installed on every Windows 10 machine. This is because Windows Update keeps changing, in large part, to prevent people from doing just this. SERVICES Try to disable all the services involved with Windows Update. You should be able to disable the legacy Windows Update Service (wuauserv) and the Windows Remediation Service (sedsvc). Windows 10 Update Facilitation Service (osrss) can not be stopped or disabled. My experience with the other two services (Update Orchestrator Service (UsoSvc) and Windows Update Medic Service (WaaSMedicSvc) has been inconsistent. SCHEDULED TASKS As with Services, try to disable all the Scheduled Tasks you can. AC Power Download can not be disabled Maintenance Install can be disabled MusUx_UpdateInterval On one PC I could disable it, on another I could not MusUx_LogonUpdateResults can not be disabled normally PerformRemediation can not be disabled Reboot can not be disabled Scheduled Start can be disabled Schedule Scan can not be disabled shell can be disabled sih can be disabled sihboot can be disabled UpdateAssistant can be disabled UpdateAssistantCalendarRun not sure UpdateAssistantWakeupRun not sure USO_Broker_Display can not be disabled I have not seen, but have read about other Windows Update related scheduled tasks: USO_UxBroker_Display, USO_UxBroker_ReadyToReboot, Policy Install and Resume On Boot. For dealing with the Windows Task Scheduler, I suggest TaskSchedulerView by Nir Sofer. It is free, portable and from a trustworthy source. FIREWALL While some Services and Started Tasks are off-limits, everything can be blocked in the Windows firewall. Perhaps my big contribution here is the idea of blocking a Windows service from phoning home. Firewalls traditionally block ports, IP addresses and programs but the Windows firewall can also block a Windows Service. We need this since many services run under svchost.exe. To block a Service Control Panel -> Windows Defender Firewall -> Advanced Settings -> Outbound rules (left side column) -> sort the rules by Group to make the ones you create display at the top New Rule .... (right side column) -> Click the Customize... button near Services -> Apply to this service -> Scroll to the service and click on it to highlight it in blue -> OK -> Next -> Take the default values for protocols or ports, so just click the Next button -> Take the default values for IP addresses so just click the Next button -> Blocking the connection is the default, that is what we want, so just click Next button -> Domain, Private and Public are defaulted on which we want, so just click Next -> Give the rule a name like Block Svc xxxx and Finish Do this for every Windows Update service on the PC. These Windows Update related programs definitely phone home to Microsoft, so they should be blocked too. C:\Windows\System32\sihclient.exe C:\Windows\System32\WaaSMedic.exe C:\Program Files\rempl\sedlauncher.exe The click stream for blocking a program is a bit different from blocking a service. It is: Control Panel -> Windows Defender Firewall -> Advanced Settings -> Outbound rules (left side column) -> Sort the rules by Group to make the ones you create display at the top New Rule .... (right side column) -> Program is the default so just click Next -> Enter the program path and click Next -> Block the connection is the default so just click Next -> By default, Domain, Public and Private are all checked, so just click Next -> Give the new rule a name like Block Prog xxxx then click Finish These Windows Update related programs may or may not phone home to Microsoft, I don't know. To be fully protected, they should be blocked with an outbound firewall rule too. C:\Windows\system32\sc.exe C:\Windows\System32\sihclient.exe C:\Windows\system32\usoclient.exe C:\Windows\system32\MusNotification.exe C:\Windows\UpdateAssistant\UpdateAssistant.exe In the end, your firewall rules will look something like those below. Outbound Firewall Rules in Windows 10 The Windows Remediation Service (sedsvc) is C:\Program Files\rempl\sedsvc.exe. Blocking the Service may be sufficient, but to be thorough, you can block it as a program too. According to this article, these other programs are also involved in Windows Update: eosnotify.exe, windows10upgraderapp.exe, remsh.exe (pretty sure this has been retired), dismHost.exe, InstallAgent.exe and Windows10Upgrade.exe. I have not seen them. (Updated Dec 5, 2018) Outbound firewall rules can also be used to prevent Windows 10 telemetry from phoning home to Microsoft, but that's another whole topic. In the image above, copatTelRunner.exe is telemetry and SearchUI.exe is Cortana. FINAL THOUGHTS It would be nice to know the fewest changes needed to block Windows Update on Windows 10 but that is likely to change over time, so it doesn't pay to invest a lot of effort into answering the question. As thorough as all this may seem, there may well be registry zaps that let you disable the Services and Started Tasks that are normally off-limits. I have not looked into this. If Windows Update can not phone home, then it is not critical to prevent every part of it from executing. Of course, if you succeed in blocking patches, at some point you will want or need them. To maintain the most control, see the section on Manual Updating in my earlier blog. (Added Dec 5, 2018) Finally, there are still other ways to attack Windows Update. Reddit user WelshWorker explained his procedure in PERMANENTLY Disabling Windows 10 Upgrade Assistant to stay on one build. His additional steps include blocking 15 domains used by Windows Update, removing all permissions from three Windows Update folders, creating firewall rules to block network communication for the .EXE files in those folders and deleting the contents of the SoftwareDistribution folder. He also has a script to automate some of it. Makes the stuff above seem not so paranoid. Source: Killing Windows Update on Windows 10 - a cheat sheet (Michael Horowitz) Link to comment Share on other sites More sharing options...
PrEzi Posted December 6, 2018 Share Posted December 6, 2018 I use an easier way -> StopWinUpdates v2.4.exe from Baltagy (beware - there are virus infested versions of this too, the clean version is exactly 891 032 bytes). Works like a charm. Link to comment Share on other sites More sharing options...
Matrix Posted December 6, 2018 Share Posted December 6, 2018 Very informative article Karlston thanks a lot m8 i use windows update blocker but not lately due to updates being small in size. Link to comment Share on other sites More sharing options...
The AchieVer Posted December 6, 2018 Share Posted December 6, 2018 A very useful article shared indeed... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.