Can Samsung tools change the Windows Update installation mode?

Discussion in 'Samsung' started by bel90, Jun 23, 2015.

Thread Status:
Not open for further replies.
  1. bel90

    bel90 Notebook Enthusiast

    Reputations:
    0
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    5
    Hello,

    There's something weird on my mother's notebook. Something changes the way Windows Update installs the updates. I set Windows Update (windows 8.1) to install the updates automatically, but something changes the setting behind my back to "check for updates but let me choose whether to download and install them". This problem appeared 3 or 4 months ago. She never installs software on the notebook, then I don't think it's a malware.
    It's actually easy for any software to change the setting since it's a simple registry key. I try to track down the reason for this behaviour. Could it be Samsung's tools (s agent, sw update)?

    Thanks
     
  2. John Ratsey

    John Ratsey Moderately inquisitive Super Moderator

    Reputations:
    7,187
    Messages:
    28,837
    Likes Received:
    2,102
    Trophy Points:
    581
    I've not come across any evidence to suggest that Samsung's utilities change the Windows Update settings.

    Does your mother have full admin rights or is there a separate admin account that has a different update setting? If she has limited computer knowledge then there would be sense in whoever set the machine up giving her a user account with restrictions.

    John
     
  3. XanderD

    XanderD Notebook Geek

    Reputations:
    14
    Messages:
    98
    Likes Received:
    0
    Trophy Points:
    15
  4. bel90

    bel90 Notebook Enthusiast

    Reputations:
    0
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    5
    Yes full admin rights, it's the the only account.

    By the way, she bought the laptop in 2013 and the problem appeared only 2 or 3 months ago when she asked me why windows tells her that some updates are ready and that she has something to do to installed them. I found out that the Windows Update mode was set to "let me choose". I thought it was me who did a mistake some day on her laptop, or that it was an update that changed the setting. Then I changed it again to automatic. But the next month it was back to let me choose, and again in june. And actually each time I start her laptop I can see the setting is gone.

    I googled and found a lot of people with similar issues (auto to let me choose, let me choose to auto, auto to desactivated...) but most of the time the issues remain unresolved.

    In my case, for several reasons I don't think it's a malware. Then I think it's the AV (avast), the OS or WU that change the setting.

    Or SW Update since it might conflict with WU. For example the drivers offered by SW Update and WU are sometimes different. Different version, package, provider,... Then I was wondering whether SW Update could disable the automatic mode to prevent these conflicts.

    About conflict, two weeks ago my mother told me that should couldn't type the @ symbol anymore. After further investigation I found out that WU installed a new version of the Synaptics driver (19.x) and that it breaks the Alt Gr key. I found a confirmation there: http://superuser.com/questions/9285...key-after-windows-update-polish-diacritical-s
    I uninstalled it and reinstalled the 18.x version offered by SW Update. Now it seems that the 19.x has been pulled from WU... That's why I think SW Update might disable the automatic mode, hence my question.

    Anyway, I think I'll should be able to narrow down the problem soon. Thanks to google I found how to tell Windows to monitor a key change in the registry (the one that defines the WU install mode), what modified it and write that in the event log. Then in one or two days, I should see in the event viewer whether it's a windows service, windows update, a third party tool, or even a malware. Then it should be easier to fix the problem for good.
     
    Last edited: Jun 27, 2015
  5. bel90

    bel90 Notebook Enthusiast

    Reputations:
    0
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    5
    Wow, very interesting, thanks!
    It's explained in depth there: http://bsodanalysis.blogspot.ro/2015/06/samsung-deliberately-disabling-windows.html
    It's funny to see that the blogger used the same things (auditpol and registry security auditing) than me to find the problem. In one or two days, I'll check my mother's laptop and have a look to what says the event viewer. Maybe I'll also see something about SW Update or this Disable_Windowsupdate.exe thing.
    If it's really SW Update, I'm a bit surprised nearly nobody noticed the problem. It didn't appeared yesterday, but about 2 months ago... Maybe not all Samsung laptops are concerned. We'll see.
    I keep you updated.
     
    Last edited: Jun 24, 2015
  6. John Ratsey

    John Ratsey Moderately inquisitive Super Moderator

    Reputations:
    7,187
    Messages:
    28,837
    Likes Received:
    2,102
    Trophy Points:
    581
    XanderD's post above links to a report that SW Update is creating a block on Windows Update. We need to understand the circumstances under which this is happening. Windows Update is working OK on my two Samsung notebooks (NP900X3B and NP900X4C, both running Windows 7). Which notebook and version of Windows does your mother have.

    I can understand Samsung wanting to block driver updates being offered by Windows Update but aren't fully compatible and then create problems but it shouldn't block the updates for Windows itself which are often to fix security issues.

    John
     
  7. bel90

    bel90 Notebook Enthusiast

    Reputations:
    0
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    5
    Ativ Book 2 NP275E5E. Shipped with windows 8, upgraded to 8.1, 64 bits.

    I keep you updated. The events viewer should quickly says what modify HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\AUoptions

    About Disable_Windowsupdate.exe, that was reported by the blogger: It seems it has been around since at least april 26 and was compiled on april 7:
    http://www.herdprotect.com/disable_windowsupdate.exe-3b5ea561fd1bc3ca2199d788b141035baf9eddff.aspx

    So it's more or less what I observed on my mother's laptop, I said that it appeared 2 or 3 months ago.
     
    Last edited: Jun 24, 2015
  8. spincel

    spincel Notebook Consultant

    Reputations:
    4
    Messages:
    252
    Likes Received:
    8
    Trophy Points:
    31
    After hearing about this, I looked over my laptop to see whether or not this is happening. Mine is the Ativ Book 8 880Z5E. Currently I have the SWUpdate v2.2.4. Today, I check and SWUpdate alert me an update, which is 2.2.9. I already download and installed this. So for the Windows Update, from the beginning, I have never missed any Window Update. There is no indication that mine version of SWUpdate disable the Window Update or modify something with it. However, I pulled the log that the software uses to get all the available software that should be installed on mine machine, there is actually an configuration file that indicate the Disable_WindowUpdate like the blog post.

    Interestingly, I do not see SWUpdate tried to acquire the software at all since there is no file in my drive and there is no indication that file has been downloaded and ran before. One more tidbit is that the configuration file was downloaded on May of 2015, which is recently, and if you look at the detail of that over the blog post, you can see the version of the software is actually only version 1.0. So this could be that Samsung has been recently developed this type of software.

    On this topic, I would suggest people checking their C:\ProgramData\Samsung folder to see if there is any Disable_WindowUpdate file or something like that. Check and verify the Windows Update setting to make sure everything is correct. Also, go to SWUpdate and check to see if there is any software name like Disable Windows Update. Most of the time, the stuff that need to be installed or have been installed with SWUpdate will be displayed inside that software.

    For now, I think we need to make Samsung aware of this thing since Windows 10 is comming up and they will have to release drivers for it. In my opinion, the Windows Update and Samsung drivers are kind of enemies to each other. I owned the orignal Chronos and I experienced difficulties with both things when upgrading driver for the graphic card. That behavior still carries over the current laptop, but it is better know since you can install seperately Intel and AMD driver. I understand that Windows Update might cause some problems but not getting security patches is more a major disaster to me.

    P/s: The version 2.2.4 that I installed on mine before on current Windows 10 Preview is not functional and I have not tested the new one. But, I have not found any things related to the Windows Update stuff. And apparently, on Windows 10, the security is very tight that for thing that like the Brightness Control Patch or this Disable program stuff will not work at all. When doing the preview, using build 10130 I can run the installation for the Brightness Control, but using the leak 10147, I could not run the installation as Windows apparrently blocked the installation file, even though the installation supposed to be an executable that would be executed in order to change some registry keys.
     
  9. TANWare

    TANWare Just This Side of Senile, I think. Super Moderator

    Reputations:
    2,548
    Messages:
    9,585
    Likes Received:
    4,997
    Trophy Points:
    431
    Other issue may be too if Windows 10 supplies all driver updates it could easily mess with OEM's proprietary software and utilities. Samsung had enough issues with Windows 8.0 and then even 8.1, now what further issues with 10? I am hoping I am wrong and everything goes smoothly.
     
  10. bel90

    bel90 Notebook Enthusiast

    Reputations:
    0
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    5
    Quick update: WU is still in automatic mode today, the setting has not been changed behind my back. Then nothing new on this side. I just have to wait it happens. I don't know when. I just know it's not at every boot. Maybe it's once a day, once a week, I don't know.

    But I looked at the programdata folder, and I found Disable_WindowUpdate.exe in a samsung subfolder. I don't remember the exact path but it was something like C:\ProgramData\samsung\swupdate\package\temp\...\Disable_WindowUpdate.exe It's 2.27mb, created on april 7, version 1.0.0.1, digitally signed by samsung.

    More info when WU will be put in manual mode behind my back.

    PS: I just uploaded it to virustotal.com:
    This file was last analysed by VirusTotal on 2015-06-24 20:16:53 UTC (14 heures, 52 minutes ago) it was first analysed by VirusTotal on 2015-04-24 13:31:55 UTC.
    SHA256: 7b9547acf8b3792b48fe5a02f7d5f3e0dfba8e57055d60f479bb8adfed99871c
    Then it seems it has been around for 2 months.
     
    Last edited: Jun 25, 2015
Loading...
Thread Status:
Not open for further replies.

Share This Page