"Windows Automatic Update" or a backdoor

[shakuni]

I have four partitions on my computer, say c,d,e and f.Out of these windows is installed on c drive.
And I have two users on my computer, one is admin and another is InternetUser.I have configured the Internet User in such a way that it has zero permissions on my system except that it can be used to surf the net(with some defined firewall rules) and save a few files on its desktop.Except this it can't do anything on my computer.

I use internet only from InternetUser.
But still windows is able to "automatically update" my system.How can it write(update) my system from InternetUser and that also remotely.I think windows has some backdoor preinstalled on the OS.How can I find more about it,so that I can "update" others computers remotely.

Also I think that if I use a kernel level debugger(like Softice or Windbg) and monitor the system while it is connected to internet,I could find out more about this "automatic update".Had anybody done it before?

[nihil]

I think that Windows Updater runs as "system" if it is activated, so it doesn't matter which user is actually logged in.

To find out how to remotely update computers on a network, go to the MS update site and select the " use administrator options" down the left hand side.

[jockey0109]

See, there are many 'type' of users as you may be knowing. One of the most powerful account is named as 'system'. This account has elevated privileges, much more than that of the administrator. It is said that even administrator cannot change anything in the SAM (password file of windows). It is this account that does.

The system account is used to run the very essential system services. As far as Windows update is concerned, It is done via the process named as 'svchost.exe'. It has multiple instances running under its name each of which gives a particular service to you. There is no way you can DENY permissions to this process (or file for the sake of firewall rules) as this process is the opne which sends and recieves the DNS requests and passes it on to the applications.

svchost.exe would run under system account and so, you do not have a power to change many things related to the process (of course due to its elevated priviledges).

If you want to disable the automatic updates, I think you know that way. (it is: My computer ==Right Click==> properties ==> Automatic updates ==> disable and then OK).

[nihil]

Yes, there are quite a few applications that check for updates and even apply them automatically. Antivirus products do it, ZoneAlarm firewall, et cetera.

All you need to do is open a connection to an ISP. Provided that the task was initially set up with adequate permissions, it will run as soon as any user makes the connection.

To find the programs and files being used by Windows Update, search your Windows partition for wu*.*

[shakuni]

Can't we get into this "system account" ?

[nihil]

No, not by "normal methods" as it isn't a regular user account, but you can "hack" it:

http://tech-hutblog.blogspot.com/200...m-account.html

I can't say I can think of why you would want or need to do this though.

[phishphreek]

See, there are many 'type' of users as you may be knowing. One of the most powerful account is named as 'system'. This account has elevated privileges, much more than that of the administrator. It is said that even administrator cannot change anything in the SAM (password file of windows). It is this account that does.

The system account is used to run the very essential system services. As far as Windows update is concerned, It is done via the process named as 'svchost.exe'. It has multiple instances running under its name each of which gives a particular service to you. There is no way you can DENY permissions to this process (or file for the sake of firewall rules) as this process is the opne which sends and recieves the DNS requests and passes it on to the applications.

svchost.exe would run under system account and so, you do not have a power to change many things related to the process (of course due to its elevated priviledges).

If you want to disable the automatic updates, I think you know that way. (it is: My computer ==Right Click==> properties ==> Automatic updates ==> disable and then OK).

wuauclt.exe is the windows update automatic update client. That program maintains the local database of windows updates. The database (as well as update downloads) is stored in %windir%\softwaredistribution. You can safely delete this folder. The next time wuauclt is run, it will recreate it.

svchost controls both wuauclt and BITS (background intelligent transfer service) svchost will run wuauclt depending on your automatic update settings.

You can stop both of these one or both of these services from running by going to into services.msc and setting the Automatic Update and Background Intelligent Transfer Service (BITS) to either manual or disabled. I think that if you you set it to disabled, then you will not be able to use the Windows Update website either.

You can also control the windows update settings via the gpedit.msc or the way jockey0109 describes.

[jockey0109]

Yes, as far as the %systemroot%\SoftwareDistribution is concerned about it, I was aware about it (had applied updates to a newly installed OS copy from that of an already existing one on the same machine ) Now, yes thats the way update takes place. I did not know about the BITS (thanks for that). But my intension was not to tell him that how Windows update takes place in particular. Since he asked about a backdoor, I thought it would have been better to tell about the system account.

Of course for most of the things that WIndows does, there is either a way from the policy side (gpedit) or the service side (services).

And as far as this is concerned:

No, not by "normal methods" as it isn't a regular user account, but you can "hack" it:

http://tech-hutblog.blogspot.com/200...m-account.html

I can't say I can think of why you would want or need to do this though.

I would certainly ask the person who wrote it if he has tried it himself or not. As far as my small knowlege goes and as per my experience too! ; system account is not able to start ANY PROCESS WITH A VISIBLE WINDOW! If you try to start Explorer.exe under system account, slowly and slowly your desktop will go away, then you will see the buttons of minimize, restore and close balkening out, takbar giogng away, many services will start crashing ans so on.

Thats not the way you hack into your SYSTEM account. Yes, the at command can be used to run programs with SYSTEM privileges but you cannot start a program which has visible windows and dialogue boxes to operate normally with SYSTEM account.

Thats as per my experience. Tell me if anyone else has got a success in running it that way! I would like to know HOW!!!

[shakuni]

you cannot start a program which has visible windows and dialogue boxes to operate normally with SYSTEM account.

but "a visible window and dialogue boxes" are not required to understand the working of some process.One can always start the process inside the kernel level debugger and monitor its behaviour.

[jockey0109]

I am not telling that you cannot start the program. Nor am I telling that it is required. Actually the page that has been linked to in tha post says that by starting EXPLOERE.EXE in system account (after shutiing its context in the currend user space), you can enjoy the privileges that WINDOWS enjoys itself! Now Explorer.exe has got Windows, as you must be knnwing that Mycomputer and the startment and taskbar are all the elements of the explorer.exe process. SO that trick won't work to get privileges over the system with whole desktop up in the SYSTEM account. Got what I wanted to say?