"Windows Automatic Update" or a backdoor
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: "Windows Automatic Update" or a backdoor

  1. #1
    Banned shakuni's Avatar
    Join Date
    Aug 2007
    Posts
    24

    "Windows Automatic Update" or a backdoor

    I have four partitions on my computer, say c,d,e and f.Out of these windows is installed on c drive.
    And I have two users on my computer, one is admin and another is InternetUser.I have configured the Internet User in such a way that it has zero permissions on my system except that it can be used to surf the net(with some defined firewall rules) and save a few files on its desktop.Except this it can't do anything on my computer.

    I use internet only from InternetUser.
    But still windows is able to "automatically update" my system.How can it write(update) my system from InternetUser and that also remotely.I think windows has some backdoor preinstalled on the OS.How can I find more about it,so that I can "update" others computers remotely.

    Also I think that if I use a kernel level debugger(like Softice or Windbg) and monitor the system while it is connected to internet,I could find out more about this "automatic update".Had anybody done it before?

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    I think that Windows Updater runs as "system" if it is activated, so it doesn't matter which user is actually logged in.

    To find out how to remotely update computers on a network, go to the MS update site and select the " use administrator options" down the left hand side.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    See, there are many 'type' of users as you may be knowing. One of the most powerful account is named as 'system'. This account has elevated privileges, much more than that of the administrator. It is said that even administrator cannot change anything in the SAM (password file of windows). It is this account that does.

    The system account is used to run the very essential system services. As far as Windows update is concerned, It is done via the process named as 'svchost.exe'. It has multiple instances running under its name each of which gives a particular service to you. There is no way you can DENY permissions to this process (or file for the sake of firewall rules) as this process is the opne which sends and recieves the DNS requests and passes it on to the applications.

    svchost.exe would run under system account and so, you do not have a power to change many things related to the process (of course due to its elevated priviledges).

    If you want to disable the automatic updates, I think you know that way. (it is: My computer ==Right Click==> properties ==> Automatic updates ==> disable and then OK).
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Yes, there are quite a few applications that check for updates and even apply them automatically. Antivirus products do it, ZoneAlarm firewall, et cetera.

    All you need to do is open a connection to an ISP. Provided that the task was initially set up with adequate permissions, it will run as soon as any user makes the connection.

    To find the programs and files being used by Windows Update, search your Windows partition for wu*.*
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Banned shakuni's Avatar
    Join Date
    Aug 2007
    Posts
    24
    Can't we get into this "system account" ?

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    No, not by "normal methods" as it isn't a regular user account, but you can "hack" it:

    http://tech-hutblog.blogspot.com/200...m-account.html

    I can't say I can think of why you would want or need to do this though.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    AO bergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Quote Originally Posted by jockey0109
    See, there are many 'type' of users as you may be knowing. One of the most powerful account is named as 'system'. This account has elevated privileges, much more than that of the administrator. It is said that even administrator cannot change anything in the SAM (password file of windows). It is this account that does.

    The system account is used to run the very essential system services. As far as Windows update is concerned, It is done via the process named as 'svchost.exe'. It has multiple instances running under its name each of which gives a particular service to you. There is no way you can DENY permissions to this process (or file for the sake of firewall rules) as this process is the opne which sends and recieves the DNS requests and passes it on to the applications.

    svchost.exe would run under system account and so, you do not have a power to change many things related to the process (of course due to its elevated priviledges).

    If you want to disable the automatic updates, I think you know that way. (it is: My computer ==Right Click==> properties ==> Automatic updates ==> disable and then OK).
    wuauclt.exe is the windows update automatic update client. That program maintains the local database of windows updates. The database (as well as update downloads) is stored in %windir%\softwaredistribution. You can safely delete this folder. The next time wuauclt is run, it will recreate it.

    svchost controls both wuauclt and BITS (background intelligent transfer service) svchost will run wuauclt depending on your automatic update settings.

    You can stop both of these one or both of these services from running by going to into services.msc and setting the Automatic Update and Background Intelligent Transfer Service (BITS) to either manual or disabled. I think that if you you set it to disabled, then you will not be able to use the Windows Update website either.

    You can also control the windows update settings via the gpedit.msc or the way jockey0109 describes.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    Yes, as far as the %systemroot%\SoftwareDistribution is concerned about it, I was aware about it (had applied updates to a newly installed OS copy from that of an already existing one on the same machine ) Now, yes thats the way update takes place. I did not know about the BITS (thanks for that). But my intension was not to tell him that how Windows update takes place in particular. Since he asked about a backdoor, I thought it would have been better to tell about the system account.

    Of course for most of the things that WIndows does, there is either a way from the policy side (gpedit) or the service side (services).

    And as far as this is concerned:

    No, not by "normal methods" as it isn't a regular user account, but you can "hack" it:

    http://tech-hutblog.blogspot.com/200...m-account.html

    I can't say I can think of why you would want or need to do this though.
    I would certainly ask the person who wrote it if he has tried it himself or not. As far as my small knowlege goes and as per my experience too! ; system account is not able to start ANY PROCESS WITH A VISIBLE WINDOW! If you try to start Explorer.exe under system account, slowly and slowly your desktop will go away, then you will see the buttons of minimize, restore and close balkening out, takbar giogng away, many services will start crashing ans so on.

    Thats not the way you hack into your SYSTEM account. Yes, the at command can be used to run programs with SYSTEM privileges but you cannot start a program which has visible windows and dialogue boxes to operate normally with SYSTEM account.

    Thats as per my experience. Tell me if anyone else has got a success in running it that way! I would like to know HOW!!!
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

  9. #9
    Banned shakuni's Avatar
    Join Date
    Aug 2007
    Posts
    24
    you cannot start a program which has visible windows and dialogue boxes to operate normally with SYSTEM account.
    but "a visible window and dialogue boxes" are not required to understand the working of some process.One can always start the process inside the kernel level debugger and monitor its behaviour.

  10. #10
    Senior Member
    Join Date
    Aug 2006
    Location
    India
    Posts
    289
    I am not telling that you cannot start the program. Nor am I telling that it is required. Actually the page that has been linked to in tha post says that by starting EXPLOERE.EXE in system account (after shutiing its context in the currend user space), you can enjoy the privileges that WINDOWS enjoys itself! Now Explorer.exe has got Windows, as you must be knnwing that Mycomputer and the startment and taskbar are all the elements of the explorer.exe process. SO that trick won't work to get privileges over the system with whole desktop up in the SYSTEM account. Got what I wanted to say?
    "Everything should be made as simple as possible, but not simpler."

    - Albert Einstein

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Administrative Tools - Services
    By carenath in forum Operating Systems
    Replies: 8
    Last Post: January 8th, 2006, 06:03 AM
  3. Windows XP SP2 RC2 - Overview
    By Negative in forum Microsoft Security Discussions
    Replies: 25
    Last Post: June 28th, 2004, 03:28 PM
  4. Windows XP Tips
    By Nokia in forum Tips and Tricks
    Replies: 4
    Last Post: June 18th, 2004, 05:24 PM
  5. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •