How does WSUS determine a patch is missing?

Discussion in 'Update Services' started by D Riberdy, Jun 26, 2007.

  1. D Riberdy

    D Riberdy Guest

    I am trying to figure out how WSUS currently determines how a patch is
    missing from a server. Does it check the individual files in each patch and
    then report it as missing if the files are at a previous version?

    I have seen in the past that software can install previous versions of dlls,
    etc that "break" patches already applied. Windows Update from the web does
    not recognize them as being needed again but the vulnerability still exists.
    D Riberdy, Jun 26, 2007
    1. Advertisements

  2. The Windows Update Agent tells it that it's missing.
    The Windows Update Agent does a file level version check based on the
    metadata stored in the update detection logic, which is obtained from the
    WSUS Server during a detection event, provided that the update detection
    metadata contains file level version data.

    Only stupid software from stupid software developers on systems prior to
    Windows 2000, where the stupid software developer failed to check the
    version of the installed DLL prior to overwriting it with an older version
    contained in the stupid software developer's installation package.
    That really depends on what the update is; how old the update is; what
    detection methodology is coded into the update package's detection logic;
    what version of the operating system you're using; what version of the
    Windows Update Agent you're using; and whether or not the affected DLL(s)
    are actually part of any given update package.

    Do you have a *specific* example you'd like to discuss?

    Lawrence Garvin, M.S., MCTS, MCP
    Independent WSUS Evangelist
    MVP-Software Distribution (2005-2007)

    Everything you need for WSUS is at

    And, almost everything else is at
    Lawrence Garvin \(MVP\), Jun 27, 2007
    1. Advertisements

  3. D Riberdy

    D Riberdy Guest

    The actual incident in question was installing Microsoft Application Center
    SP1 that undid the fix for the Blaster virus on all the servers we installed
    it on. Even though Microsoft listed it as installed and said we were
    protected an audit found us vulnerable. We had to switch to a 3rd party tool
    becuase the customer felt that we and Microsoft were unable to properly
    manage the patching and healthiness of the environment.

    So, If a, as you put it "Only stupid software from stupid software
    developers" were to overlay a newer patches dll with an older version, will
    WSUS then show it as missing? Or is that entirely dependent on the people
    packaging the patches to insert all the proper data for WSUS to do that type
    of checking ala "The Windows Update Agent does a file level version check
    based on the metadata stored in the update detection logic, which is obtained
    from the
    WSUS Server during a detection event, provided that the update detection
    metadata contains file level version data."

    D Riberdy, Jun 27, 2007
  4. Interesting.... but a rather ancient problem, wouldn't you agree? The
    Blaster virus is almost four years old; Application Center 2000 SP1
    (released: Oct 2001) actually pre-dates the Blaster virus by almost two
    years; and Application Center 2000 SP2 was released four years ago to
    support AppCenter2000 on Windows Server 2003.

    As for the Blaster virus itself, it actually exploits an issue that was
    fixed by MS03-026 (KB823980), which isn't even an active update anymore,
    having been superceded by a Service Pack on every operating system except
    Windows 2000.

    So, lacking a *current* example, let's take this scenario in the context it

    So, if I understand you correctly, you directly installed Application Center
    2000 SP1 on top of a machine already containing MS03-026, and then were
    surprised when a 2 year old service pack replaced some files with older

    Okay... so lessons learned: [a] Always install updates in chronological
    order of release. Always run a security scan after applying any old

    Also, keep in mind that the OS reporting an update as "Installed", merely
    means that the installer successfully ran, and that the necessary registry
    values were created. It indicates nothing about whether the component files
    are physically present, corrupted, or overwritten with an older version by
    some other installer.

    Hmmm... and, in reality, it was probably nothing more than a deployment
    error in the installation of the AppCenter 2000 service pack. :)

    To that extent, the customer was probably partially correct in expressing
    concern about your inability to properly manage the patching and healthiness
    of the enviornment. :-\

    *TODAY*, with *WSUS* (or SMS, or WU/MU, or MBSA -- all of which use exactly
    the same scanning technology) (neither of which existed when you were
    installing AppCenter service packs on top of Blaster security vulnerability
    patches), all patches are *DETECTED* based on the requisite file contents
    and version numbers of those files.

    But, yes, WSUS/WUA is wholly dependent on the publisher of the UPDATE (which
    is generally the product group responsible for the specific product being
    updated), to properly configure the metadata for the detection logic of that
    update. Ergo, the Windows Update Agent can only do what the product team
    tells it to do via the update detection logic.


    Lawrence Garvin, M.S., MCTS, MCP
    Independent WSUS Evangelist
    MVP-Software Distribution (2005-2007)

    Everything you need for WSUS is at

    And, almost everything else is at
    Lawrence Garvin \(MVP\), Jun 28, 2007
  5. D Riberdy

    D Riberdy Guest

    So, what you are saying is that I am at the mercy of a patch developer doing
    their job correctly to ensure that the patches will scan correctly in WSUS?
    Is this a standard routine for them to do or is there currently cases where
    it doesn't have the correct information? Microsoft has been known to
    re-re-release patches due to improperly packaged files before.
    Actually, you understood me incorrectly. The above patch MS03-026 was
    installed when the base machine was created with Windows Update. We
    installed Microsoft Application Center 2000 SP1 as a complete application -
    not just the SP1 patch. When we rescanned the machines at the end of the
    build process, there were no updates to be found - ergo the logic built into
    either the MS03-026 patch itself OR Windows Update was flawed.

    Therein lies their concern as well as ours that if we hang our hats on the
    WSUS product, which by the looks of the forum posts here for version 3, has
    less than spectaular commentary, that it will ensure that we are patched to
    the fullest extent and rescan previously installed patches to make sure
    nothing like the above happens. If it falls on the product team or WSUS
    directly, it still is a "Microsoft" problem that things are not scanned
    D Riberdy, Jun 28, 2007
  6. D Riberdy

    Asher_N Guest

    Well, Windows Update does what the patch tells it to do to detect, so
    it's not flawed.

    The update will look for either file versions, or more likely registry
    entries. So installing MS03-026 created the requisite entries and folders
    in the Windows folder. Then you load a 7 year old piece of software that
    blindly clobbers a bunch of DLLs. The MS03-026 registry entries are still
    there. What do you expect the detection to do? Scan version of every file
    it replaces? For large patches and SPs, it would consume too much
    resources on the clients.

    If you want to escape responsibility and lay the blame on Microsoft, then
    blame App Centre.

    Personnaly at this point, I'd upgrade App Centre to the cuttent version.
    Or at least, install it immediately after the OS, before patches.
    Asher_N, Jun 28, 2007
  7. D Riberdy

    D Riberdy Guest

    *sigh* as Garvin noted this was an old problem. The point being we have used
    other products and are now wanting to investigate WSUS as a possible solution
    for patching.

    Yes, I would expect that if I were to call for a scan of missing patches on
    a server, it would check the file versions to ensure that they match with
    what is is expected to be there. Other tools do the exact same thing and
    don't seem to be consuming too many resources.

    So far, I haven't really heard any good reason to vary from what we are
    using to go to WSUS since we cannot expect that it would confidently tell us
    what we want to know. I guess if you vary from the norm and don't kiss the
    ring of Microsoft you get belittled on these forums.
    D Riberdy, Jun 28, 2007
  8. The detection logic is part of the Windows Update product, speaking in the
    broader sense.
    MBSA 1.2.1 seemed to manage to do this without being very resource-hungry.
    (Granted service packs are a special case.)

    Probably qfecheck is the right tool to check for this class of problem.
    However, it does seem that this functionality should be built into WUA, or
    perhaps the OS.

    ... actually the other thing that puzzles me is why Windows File Protection
    didn't kick in.
    Are you suggesting that whenever we need to run a new application we should buy
    a new server? I don't think that's a feasible solution in general. :)

    Harry Johnston, Jun 28, 2007
  9. You'd be at their mercy even if you used Microsoft Update!

    You'd also be at their mercy if you solely relied on the verbage in the MSRC
    or KB document.

    At some point ya either gotta trust your OS vendor to some point, or ya
    gotta find a new OS vendor.

    I'm afraid I can't help you much with your paranoia. ;-)

    Okay.. so either way.. what you're telling me is that you installed a
    product whose release date preceeded the release date of security updates on
    the system, and you never considered the need to evaluate whether those
    security updates needed to be reinstalled?
    Or, you misunderstood the significance of whatever tool you used to do the

    But, again, that was in 2003, four years ago. It's really a pointless
    discussion now.

    Like I said above.. it matters not what the PRODUCT used to scan or install
    the patch is -- ultimately, in *ANY* circumstance -- you're entirely
    dependent upon the Microsoft Sustained Engineeering team(s) for the various
    products to forsee every possible installation environment, and be able to
    detect every possible installation scenario -- including somebody who'd want
    to install a two year old product onto current hotfix security patches.

    Bottom line is: That's why every "best practice" document in the world says

    Prove to YOURSELF that the patch installs correctly, doesn't break anything
    on your systems, and does what you need it to do, and then, when you've done
    that, deploy it to production systems.

    I really don't think there's much else I can say.

    Lawrence Garvin, M.S., MCTS, MCP
    Independent WSUS Evangelist
    MVP-Software Distribution (2005-2007)

    Everything you need for WSUS is at

    And, almost everything else is at
    Lawrence Garvin \(MVP\), Jun 29, 2007
  10. Actually, this is a misconception.

    The =engine= is contained within the Windows Update Agent code.

    However, the =data= that tells that engine what to do is contained within
    the update package itself, and is unique to each update package.

    It's generally this data that is the reason updates have "revisions", and
    MSRC documents are revised. Case in point -- just today Microsoft revised
    MS07-022 for issues affecting people running Windows 2000 Service Pack 4 on
    NEC 98 systems.

    Thus my comments, elsewhere, indicting the "scanning tools" used to
    determine whether the post-install AppCenter2000SP1 system was secure. MBSA
    v1.2.1 didn't exist in 2003 when this incident happened. I know that it was
    2003, because if it had been 2004 they surely would have installed
    AppCenter2000SP2 -- although that wouldn't have been any guarantee either,
    since AppCenter2000SP2 (Jun 2003) also predated MS03-026 (Jul 2003).

    Hehe... so AppCenterSP2 was released *before* MS03-026, and they chose to
    install a slipstreamed *downlevel* version of the application. Go figger...
    but it was suicidal, at best (and, of course, we also have the benefit of
    hindsight to support that appelation).

    Which then makes me want to ask when this really did occur, but either way,
    I think it would just complicate the decisions behind the deployment
    choices -- either way, the *current* version of the application was not

    Windows File Protection on a Windows 2000 Service Pack 3 system? Service
    Pack 4 was only released in June, 2003, and I suspect not yet installed on
    the subject system, given that they also were not installing AppCenterSP2
    (Jun 2003).

    No, I don't think that's what Asher is suggesting, but then I also think
    that he's misunderstood that this incident is a legacy incident, that
    occurred four years ago, not in the recent past.

    It's also irrelevant, because AppCenter2000 isn't a supported product at
    all, any more. Mainstream Support expired in July, 2006. Only Security
    Updates for AppCenter2000SP2 are available, now.

    However, in either situation, the *correct* installation methodology would
    have surely alleviated some of the issues experienced. The *application*
    being installed was at a SP level dated from October, 2001, on top of a
    patch released in July, 2003 (and possibly, even, an unsupported SP level if
    this all happened after June 2004).

    That means, de facto, the *application* had no knowledge of any updates
    applicable to that system beyond that date -- even the most current SP for
    that application could not have known.

    The logical conclusion (at least to me) would be that *anything* released
    after that date was subject to having been corrupted. At a minimum I would
    have (RE)INSTALLED Service Pack 4 (Jun 2003), and all security patches
    released after Service Pack 4 (which would have included MS03-026) -- but
    then I would have also installed the product's most recent service pack as

    The second problem was trusting the patch tools available at that point
    (Windows Update) to properly identify the deficiencies in the patch level of
    the system. In 2003, all that WU did was check a registry value to determine
    if a patch had been "installed" or "not installed". The only certain way to
    know was to personally verify the file versions and/or simply reapply the
    update(s) potentially affected -- and certainly any Critical Security
    Updates -- like a Blaster patch!

    Lawrence Garvin, M.S., MCTS, MCP
    Independent WSUS Evangelist
    MVP-Software Distribution (2005-2007)

    Everything you need for WSUS is at

    And, almost everything else is at
    Lawrence Garvin \(MVP\), Jun 29, 2007
  11. Yeah, but I'd define the Windows Update *product* to include both the Windows
    Update Agent and the update packages - neither can function without the other,
    after all.
    Ah. That would explain it. I hadn't quite picked up on quite how far back into
    the dark ages we were looking here.
    Sure, but that's not my point. I think that if patch corruption isn't reliably
    detected - regardless of what may have caused the corruption - this is (or was!)
    a legitimate concern. (It could - presumably - just as easily have happened as
    the result of a recent but badly written third-party installer.)

    Does Windows File Protection address this problem? It seems that it should, but
    I don't know a lot about exactly what it actually does. Certainly I've seen
    QFECHECK report a problem when WFP was silent - but I'm still not sure whether
    or not that was a false negative or a false positive, and slipstreaming was
    involved which I suppose bypasses WFP anyway.

    Harry Johnston, Jun 29, 2007
  12. I understand that propensity for the common perception -- but the
    distinction is actually very significant.

    There's this natural inclination to want to blame WSUS, WUA, or the WSUS/WUA
    dev teams for failings that appear to be in the product, that are actually
    defects in the detection -parameters- defined by the update itself.

    Perhaps the most classic example I can recall off the top of my head is the
    (still existing) Snafu with the JVM update (KB816093). See this article for
    additional info:

    Those update detection parameters are solely the output of the individual
    product team's Sustained Engineering groups -- and totally outside the
    purview of the WSUS/WUA teams. So, in the above example, the flaw lies in
    the work product of the JVM SE group -- no doubt which was long disbanded by
    the time the detection flaws in KB816093 were discovered by WSUS 2 admins in
    July, 2005.

    It's kind of like a beer distributor. They bring the Budweiser to you, and
    they're responsible if the glass is broken, or the cans are dented, but they
    got nothing to do with whether the beer tastes good, or whether you prefer
    MGD to Bud Select.

    I absolutely agree with you.

    But the appropriate procedures in 2003-2004 are entirely different than the
    appropriate procedures in 2007.

    In 2003, the situation require a much greater involvment of *human*
    verification and validation.

    Granted, but either way, there's still a certain amount of undenyable
    responsibility that sits in the lap of the person at the console.

    *Today* on a Win2003 or WinXP system, yes, WFP would definitely have
    prevented that snafu.

    Actually, the whole updated patch mechanism built into XP and 2003, which
    makes use of the %windir%\$hf_mig$ update cache folder, would have
    automatically replaced that downgraded DLL needed by MS03-026.

    In fact, just the other day I hit a wall with WFP trying to downgrade a WUA
    to do testing on the WUA upgrade patch for WSUS 3.0. Because the wups.dll
    files were installed from the WUA v7 package, and covered under WFP, when
    the WUA v5.8 installer tried to overwrite them via use of the /wuforce
    switch -- or when I tried to manually delete them and replace them with the
    v5.8 files -- WFP simply replaced the v7 files.

    In fact, it's this very technology that's obsoleted the legacy practice (on
    WinNT and Win2000) of having to 'reinstall' the latest service pack after
    every OS "life changing" event.

    Possibly. I'd have to look at this. WFP is supposed to be protecting core
    "RTM" files also, so by that standard, slipstreamed updates should also be
    protected. On the other hand, if slipstreaming doesn't properly update the
    WFP registration database, WFP would have no way of knowing that a newer
    version had been replaced. Also, WFP is quite dependent on the "cache" copy
    of those files in the dllcache folder, and if they're not there, they
    wouldn't be replaceable.

    Lawrence Garvin, M.S., MCTS, MCP
    Independent WSUS Evangelist
    MVP-Software Distribution (2005-2007)

    Everything you need for WSUS is at

    And, almost everything else is at
    Lawrence Garvin \(MVP\), Jun 29, 2007
  13. I hadn't thought of looking at it that way. Certainly the actual update is not
    part of the Windows Update product; for example, if the update doesn't actually
    close the vulnerability it is supposed to address, that certainly isn't a
    Windows Update problem. By analogy, then, the detection parameters also aren't
    part of Windows Update, though the implementation of those parameters is.

    Harry Johnston, Jun 29, 2007
  14. Exactly.

    Lawrence Garvin, M.S., MCTS, MCP
    Independent WSUS Evangelist
    MVP-Software Distribution (2005-2007)

    Everything you need for WSUS is at

    And, almost everything else is at
    Lawrence Garvin \(MVP\), Jun 30, 2007
  15. D Riberdy

    Al Wilson Guest

    I would like to dicuss a specific Example:

    I have a scanner from a third party, and it indicates that a server is not patched with (MS08-069) Vulnerabilities In Microsoft XML Core Services Could Allow Remote Code Execution (955218) because

    -> VULN: File path (%systemroot%\system32\msxml6.dll) is NOT fixed.

    -> Function: DoesExistingFileMatch

    -> Required Version: 6.20.1099.0

    -> Existing Version: 6.10.1200.0

    With WSUS saying that the machine is patched, I wonder how it knows that? I suspect it is looking for the "uninstall" registry key.

    Can anyone help me out with a source of information?

    Al Wilson, Sep 24, 2010
  16. WSUS doesn't distinguish between updates that are installed and updates that
    aren't applicable, so perhaps your system doesn't meet the requirements? It
    might also turn out that MSXML6 isn't actually installed, but the file got left

    Which OS is this on? Which service pack? If Windows 2003, does MSXML6 appear
    in Add/Remove Programs?


    PS: if it seems quiet in here, that's because Microsoft have closed this newsgroup.

    You might want to consider visiting the appropriate web forum instead.


    Windows Update:
    Harry Johnston, Sep 27, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.