Windows Update, Automatic Update, and SAFER


points out an annoying problem with the new version of Windows Update in his last comment — it doesn’t work from a RunAs-ed Internet Explorer session.

This is a known problem with Windows Update that will hopefully be addressed in a future release. Basically, because of the new integration with the Automatic Updates service, there is some kind of problem where the service tries to figure out who the current interactive user is, and it gets confused by the fact that Windows Update is running under a different context. (I don’t work on the Windows Update team, so that’s my best attempt at relaying what I remember of what they told me 😉 ).

Whilst I think this is annoying, I do like the fact that Automatic Update will no longer nag me to install things that I have already downloaded via Windows Update, which is what used to happen in the past. Personally, if I can’t be bothered logging off and back on as Administrator, I just download and install the patches directly from the bulletins, then re-run Windows Update to ensure I’ve got everything I need.

As for the SAFER — as you probably know, I run with SAFER turned on as well (but disabled for Administrators) and everything works fine from my RunAs-ed Admin account… I have found that sometimes changes you make in the secpol MMC snap-in never actually get updated in the registry, so you have to go hive-diving and slash and burn some registry keys (obviously not supported, etc.).

But the real issue (as described in my Paranoia post) is that although the download packages from are signed, they are basically self-extracting installers and the bits *inside* the package are not signed, so the self-extractor runs but then the actual update program bombs 🙁

Update 14th October 1:45 PST:

After re-reading Jeroen’s comment, I realised that he was actually talking about a different issue — that is, why can’t you run Windows Update as a non-administrator full stop (or “period” as an American might say). Well, Windows Update updates the operating system, and that’s something that non-administrators should not be allowed to do, even if the updates are “for the good of the system.”

For example, what if you are a lowly user on a Terminal Server and the update breaks a mission-critical application that other users on the machine are trying to run? That’s not a very good situation to be in…

Comments (5)

  1. I obviously understand that a non-admin cannot actually install the updates, but it would be nice to have the option to be notified that updates are available (it would be even better if it would prompt me for admin credentials when I click on the systray icon).

    On the subject of SAFER, it would be nice if it understood managed code. I want to be able to install and run partial trust .NET applications as a limited user.

  2. Peter Torr says:

    You are absolutely right that we need to better integrate our managed and unmanaged security story. Once upon a time I believe there was going to be a way for SAFER to defer security decisions to CAS for managed EXEs, but it never surfaced.

    Personally I am against prompting for admin credentials when the user attempts to complete a task… it is too easy for users to be spoofed into giving away their credentials to someone else.

  3. Let the admin make the decision if Windows Update stuff can/should be installable by non admin users. It sucks that things like the GDI+ test thing bombs out on my users 🙁

    The only things that can automatically be done now are critical updates via SUS. The others, I have to go around, machine by machine and install the recommended ones as Administrator 🙁

  4. Regarding not being able to run Windows Update as a non-admin:

    While I agree that it is generally wise to restrict non-admins from making changes at the system level, I do believe that a non-admin should still be able to run WU just so he can review how many and which patches his system is missing.

    On the other hand, the argument for restricting non-admins from making "arbitrary changes to the system" falls down once you start to consider the fact that automatic updates (if enabled) will download and install all critical same patches whenever the regularlly scheduled AU time is. As a result, by restricting a non-admin user from applying any patches, including critical ones, through WU, we forcing him to leave his machine in a vulnerable state for however many hours fall between when he was sitting in front of his computer and when AU activates.

    I think that WU should be modified so that any user with any rights can run the tool that reviews the state of the system and then find out exactly which patches and updates are missing. Any user should also be able to select, download and install any *critical* updates at that time, in order to close the vulnerabilty as soon as possible (versus having to wait until AU installs it anyway)

  5. Peter Torr says:

    I agree that it would be nice to have a privilege that could be assigned to any user that enabled them to install WU patches. This would help greatly with getting everyone to run as a non-admin.

    Presumably the privilege would be granted to users by default in Home / Workgroup machines, but only granted to Administrators in Pro / Server / Domain-joined machines.