Automatic Update: Access is Denied

(Windows XP Professional SP3)

Apologize in advance for a long message.

My Automatic Update is not running, even though "Automatic (recommended)"

checkbox is selected in System Properties - Automatic Updates tab.

After opening Services (services.msc), Automatic Updates's Description,

Status and Startup Type columns are empty. "Log On As" value is Local System.

When double clicking or right click -> select Properties on Automatic

Updates in Services, I get this message,

"Unable to open service Automatic Updates for reading on Local Computer.

Error 5: Access is denied."

When I go to Windows Update site and try installing updates manually

(http://www.update.microsoft.com/windowsupd...t.aspx?ln=en-us), I

get "Error number: 0x80070005" during installation after download is complete.

This seems to happen after I got some spywares, which I removed through

scouring registries and cleaning offensive DLLs in system32 directory.

According to many articles indicated, this is a permission problems with

potential errors in registry. I tried a number of suggested fixes with no

successful result,

- Verified BITS is running

- Verified I'm in Administrator group

- Added Trace Flag in Windows registry

- Stopped AdAware daemon. Cannot stop Norton however. But I was able to

run Auto Updates before with Norton running

- Run 2 commands as suggested in this article,

http://www.eggheadcafe.com/software/aspnet...all-record.aspx

a) "sc sdset bits ..." returned SUCCESS

style_emoticons/ "sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is denied"

- Install and run SubInACL tool to repair file and registry permissions

(http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx)

finish successfully, but same Access error afterwards

- Munually re-install Automatic Update client

(http://msmvps.com/blogs/athif/pages/49608.aspx)

Browse C:\windows\ServicePackFiles\i386 where wuapi.dll is located.

Restart the system. Same Access is Denied error

- Any attempt to "net stop/start wuauserv" returns Access is Denied

Random clues:

%windir%\inf\wuau.adm

======================

I notice in this file it uses,

KEYNAME "Software\Policies\Microsoft\Windows\WindowsUpdate\AU"

which is a path I don't have under HKLM, does this indicate a problem?

%windir%\setupapi.log

=====================

#-290 Processing REGISTERDLLS section [AU_dlls]. Binary: "%11%\wuaueng.dll",

flags: 0x0001, timeout: 60s.

#E127 Calling "DllRegisterServer" in OLE Control

"C:\WINDOWS\system32\wuaueng.dll" failed. Error 0x80070005: Access is denied.

#E291 Failed to register OLE server "C:\WINDOWS\system32\wuaueng.dll". Error

0x80070005: Access is denied.

%windir%\WindowsUpdate.log

==========================

- I added a Trace flag in registry for WindowsUpdate

(HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace, Flags=7,

Level=4). Below is the log it generates during reboot.

------------------ 8< -----------------------

2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error 0x80070005

2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service with

error 0x80070005

2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005) for

service "wuauserv", permissions = 0x00000004

2009-02-06 11:53:20-0800 4080 248 AU service is not running.

2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,

hr=8024000C

2009-02-06 11:54:03-0800 1104 af8 AU service is not running.

2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed, hr=8024000C

2009-02-06 11:55:30-0800 1544 a24 Service Main starts

2009-02-06 11:55:30-0800 1544 a24 updated service status to 2

2009-02-06 11:55:30-0800 1544 a24 Processing any required registration

2009-02-06 11:55:30-0800 1544 a24 CSusProxyManager successfully initialized.

2009-02-06 11:55:30-0800 1544 a24 CIpAddressMonitor::CreateListenSocket

returning with hr = 0

2009-02-06 11:55:30-0800 1544 a24 Logging events locally at

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log.

2009-02-06 11:55:30-0800 1544 a24 Using event cache directory at

C:\WINDOWS\SoftwareDistribution\EventCache.

2009-02-06 11:55:30-0800 1544 a24 Using BatchFlushAge = 5240.

2009-02-06 11:55:30-0800 1544 a24 Using SamplingValue = 162.

2009-02-06 11:55:30-0800 1544 a24 Write buffer is empty. Not scheduling a

flush.

2009-02-06 11:55:30-0800 1544 a24 Successfully loaded event namespace

dictionary.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 1: Default Event.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 2: Retail Log event.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 3: Debug Log event.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 147: Agent has finished

detecting items.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 148: Error: Agent failed

detecting with reason: %1

2009-02-06 11:55:31-0800 1544 a24 Loaded event 149: Unable to Connect:

Windows is unable to connect to the automatic updates service and therefore

cannot download and install updates according to the set schedule. Windows

will continue to try to establish a connection.

2009-02-06 11:55:31-0800 1544 a24 Performance warning: CTraceCategory::Trace

had to allocate memory

2009-02-06 11:55:31-0800 1544 a24 Loaded event 150: Update is installed.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 151: Update is installable.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 152: Update is superseded.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 154: Client has an invalid Pid.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 161: Error: Download failed.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 162: Download succeeded.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 163: Download canceled.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 182: Installation Failure:

Windows failed to install the following update with error %1: %2.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 183: Installation Successful:

Windows successfully installed the following update: %1

2009-02-06 11:55:31-0800 1544 a24 Loaded event 184: Installation successful

and restart required for the following update: %1

2009-02-06 11:55:31-0800 1544 a24 Loaded event 185: Hide update: user hid

one update.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 186: user cancelled the install

2009-02-06 11:55:31-0800 1544 a24 Loaded event 187: Installation killed:

Installation of the following update is killed by the agent: %2

2009-02-06 11:55:31-0800 1544 a24 Loaded event 188: Installation Ready: The

following updates are downloaded and ready for installation. This computer is

currently scheduled to install these updates on %1 at %2: %3

2009-02-06 11:55:31-0800 1544 a24 Loaded event 189: Installation Ready: The

following updates are downloaded and ready for installation. To install the

updates, an administrator should log on to this computer and Windows will

prompt with further instructions: %1

2009-02-06 11:55:31-0800 1544 a24 Performance warning: CTraceCategory::Trace

had to allocate memory

2009-02-06 11:55:31-0800 1544 a24 Loaded event 190: Installation Successful:

Windows successfully installed the following update: %1

2009-02-06 11:55:31-0800 1544 a24 Loaded event 191: Installation successful

and restart required for the following update: %1

2009-02-06 11:55:31-0800 1544 a24 Loaded event 192: Installation killed:

Installation of the following update is killed by the agent: %2

2009-02-06 11:55:31-0800 1544 a24 Loaded event 193: Restart Required: To

complete the installation of the following updates, the computer must be

restarted. Until this computer has been restarted, Windows cannot search for

or download new updates: %1

2009-02-06 11:55:31-0800 1544 a24 Loaded event 194: Restart Required: To

complete the installation of the following updates, the computer will be

restarted within %1 minutes: %2

2009-02-06 11:55:31-0800 1544 a24 Loaded event 195: Installation Failure:

Windows failed to install the following update with error %1: %2.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 196: Unhide update: user

unhid one update.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 197: Installation Successful:

Windows successfully installed the following update: %1

2009-02-06 11:55:31-0800 1544 a24 Loaded event 198: Installation Failure:

Windows failed to install the following update with error %1: %2.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 199: Installation successful

and restart required for the following update: %1

2009-02-06 11:55:31-0800 1544 a24 Loaded event 200: Installation killed:

Installation of the following update is killed by the agent: %2

2009-02-06 11:55:31-0800 1544 a24 Loaded event 201: Installation pending.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 221: Uninstallation Failure:

Windows failed to uninstall the following update with error %1: %2.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 222: Uninstallation

Successful: Windows successfully uninstalled the following update: %1.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 223: User cancelled the

uninstall.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 224: Uninstallation

successful and restart required for the following update: %1.

2009-02-06 11:55:31-0800 1544 a24 Loaded event 225: Uninstallation killed:

Uninstallation of the following update is killed by the agent: %2.

2009-02-06 11:55:31-0800 1544 a24 Successfully loaded client event namespace

descriptor.

2009-02-06 11:55:31-0800 1544 a24 Successfully initialized local event

logger. Events will be logged at

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log.

2009-02-06 11:55:31-0800 1544 a24 Successfully initialized NT event logger.

2009-02-06 11:55:31-0800 1544 a24 Batch flush age for server 0 is 120 seconds.

2009-02-06 11:55:31-0800 1544 a24 Write buffer is empty. Not scheduling a

flush.

2009-02-06 11:55:31-0800 1544 a24 Successfully initialized event uploader 0.

2009-02-06 11:55:31-0800 1544 a24 Batch flush age for server 1 is 5240

seconds.

2009-02-06 11:55:31-0800 1544 a24 Write buffer is empty. Not scheduling a

flush.

2009-02-06 11:55:31-0800 1544 a24 Successfully initialized event uploader 1.

2009-02-06 11:55:31-0800 1544 a24 destination 2 subscribes for subscription

1 with internalrouting 0

2009-02-06 11:55:31-0800 1544 a24 destination 2 subscribes for subscription

0 with internalrouting 0

2009-02-06 11:55:31-0800 1544 a24 Network interfaces : 1

2009-02-06 11:55:31-0800 1544 a24 Signal subscription event 8

2009-02-06 11:55:31-0800 1544 a24 create subscription event for destination

2 and routing 0

2009-02-06 11:55:31-0800 1544 a24 destination 2 subscribes for subscription

8 with internalrouting 0

2009-02-06 11:55:31-0800 1544 a24 Network interfaces : 1

2009-02-06 11:55:31-0800 1544 a24 destination 2 subscribes for subscription

9 with internalrouting 0

2009-02-06 11:55:31-0800 1544 a24 EE Handler QI: ISusExprEvaluate

2009-02-06 11:55:31-0800 1544 a24 CEEMsiHandler::AddRef: refcount is 2

2009-02-06 11:55:31-0800 1544 a24 Initializing BITS callback handler.

2009-02-06 11:55:31-0800 1544 a24 AddRef: ref count -> 1

2009-02-06 11:55:31-0800 1544 a24 DH Listener AddRef: ref count -> 1

2009-02-06 11:55:31-0800 1544 a24 Handler QI: IUnknown

2009-02-06 11:55:31-0800 1544 a24 CUHHandlerBase::AddRef: refcount is 2

2009-02-06 11:55:31-0800 1544 a24 CUHHandlerBase::Release: refcount is 1

2009-02-06 11:55:31-0800 1544 a24 Handler QI: ISusUpdateInstallerInfo

2009-02-06 11:55:31-0800 1544 a24 CUHHandlerBase::AddRef: refcount is 2

2009-02-06 11:55:31-0800 1544 a24 CUHHandlerBase::Release: refcount is 1

2009-02-06 11:55:31-0800 1544 a24 ref count on CCR after AddRef is 2

2009-02-06 11:55:31-0800 1544 a24 ref count on CCR after Release is 1

2009-02-06 11:55:31-0800 1544 a24 fail to register class object 0x80004015

2009-02-06 11:55:31-0800 1544 a24 Client call recorder fails to init with

error 0x80004015

2009-02-06 11:55:31-0800 1544 a24 WU client with version 5.4.3790.5512

failed to initialize with error 0x80004015 from component agent

2009-02-06 11:55:31-0800 1544 a24 Failed to initialize WU client: 0x80004015

2009-02-06 11:55:31-0800 1544 a24 updated service status to 3

2009-02-06 11:55:32-0800 1544 a24 CEEMsiHandler::Release: refcount is 1

2009-02-06 11:55:32-0800 1544 a24 CEEMsiHandler::Release: refcount is 0

2009-02-06 11:55:32-0800 1544 a24 CUHHandlerBase::Release: refcount is 0

2009-02-06 11:55:32-0800 1544 a24 Submitting work item thread request.

2009-02-06 11:55:32-0800 1544 a24 new event 1 of type 2 added to event system

2009-02-06 11:55:32-0800 1544 a24 Asynchronously flushing

CEventQueue@00608220.

2009-02-06 11:55:32-0800 1544 a24 Asynchronously flushing

CEventQueue@00608220.

2009-02-06 11:55:32-0800 1544 a24 Done with asynchronous flush.

2009-02-06 11:55:32-0800 1544 a24 event 1 of type 2 removed from event system

2009-02-06 11:55:32-0800 1544 a24 DH Listener Release: ref count -> 0

2009-02-06 11:55:32-0800 1544 a24 DH Listener waiting for m_hSafeToDeleteEvent

2009-02-06 11:55:32-0800 1544 a24 Release: ref count -> 0

2009-02-06 11:55:32-0800 1544 a24 Waiting for m_hSafeToDeleteEvent

2009-02-06 11:55:32-0800 1544 a24 WUAUENG ServiceMain exits. Exit code is

0x80004015

------------------ >8 -----------------------

Again I apologize for the long message. But I'm running out of ideas. Any

help would be greatly appreciated!

> This seems to happen after I got some spywares, which I removed through<span style="color:blue">

> scouring registries and cleaning offensive DLLs in system32 directory.</span>

You've got (much) more work to do:

1. See if you can download/run the MSRT manually:

http://www.microsoft.com/security/malwareremove/default.mspx

2. Run this online scan (in safe mode w/networking, if need be):

http://onecare.live.com/site/en-us/center/howsafe.htm

3. Run a /thorough/ check for hijackware, including posting the requested

logs in an appropriate forum.

Checking for/Help with Hijackware

http://aumha.net/viewtopic.php?f=30&t=4075

http://mvps.org/winhelp2002/unwanted.htm

http://inetexplorer.mvps.org/data/prevention.htm

http://inetexplorer.mvps.org/tshoot.html

http://www.mvps.org/sramesh2k/Malware_Defence.htm

http://www.elephantboycomputers.com/page2....emoving_Malware

Post your logs to

http://spywarehammer.com/simplemachinesfor....php?board=10.0,

http://forums.spybot.info/forumdisplay.php?f=22,

http://aumha.net/viewforum.php?f=30, or another appropriate forum for review

by an expert in such matters, not here.

If the procedures look too complex - and there is no shame in admitting this

isn't your cup of tea - take the machine to a local, reputable and

independent (i.e., not BigBoxStoreUSA) computer repair shop.

=====================

Start a free Windows Update support incident request:

https://support.microsoft.com/oas/default.aspx?gprid=6527

Support for Windows Update:

http://support.microsoft.com/gp/wusupport

For home users, no-charge support is available by calling 1-866-PCSAFETY in

the United States and in Canada or by contacting your local Microsoft

subsidiary. There is no-charge for support calls that are associated with

security updates.

--

~Robear Dyer (PA Bear)

MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

AumHa VSOP & Admin http://aumha.net

DTS-L http://dts-l.net/

James wrote:<span style="color:blue">

> (Windows XP Professional SP3)

> Apologize in advance for a long message.

>

> My Automatic Update is not running, even though "Automatic (recommended)"

> checkbox is selected in System Properties - Automatic Updates tab.

>

> After opening Services (services.msc), Automatic Updates's Description,

> Status and Startup Type columns are empty. "Log On As" value is Local

> System.

>

> When double clicking or right click -> select Properties on Automatic

> Updates in Services, I get this message,

> "Unable to open service Automatic Updates for reading on Local Computer.

> Error 5: Access is denied."

>

> When I go to Windows Update site and try installing updates manually

> (http://www.update.microsoft.com/windowsupd...t.aspx?ln=en-us),

> I

> get "Error number: 0x80070005" during installation after download is

> complete.

>

> This seems to happen after I got some spywares, which I removed through

> scouring registries and cleaning offensive DLLs in system32 directory.

>

> According to many articles indicated, this is a permission problems with

> potential errors in registry. I tried a number of suggested fixes with no

> successful result,

>

> - Verified BITS is running

> - Verified I'm in Administrator group

> - Added Trace Flag in Windows registry

> - Stopped AdAware daemon. Cannot stop Norton however. But I was able to

> run Auto Updates before with Norton running

> - Run 2 commands as suggested in this article,

> http://www.eggheadcafe.com/software/aspnet...all-record.aspx

> a) "sc sdset bits ..." returned SUCCESS

> style_emoticons/ "sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is

> denied" - Install and run SubInACL tool to repair file and registry

> permissions

> (http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx)

> finish successfully, but same Access error afterwards

> - Munually re-install Automatic Update client

> (http://msmvps.com/blogs/athif/pages/49608.aspx)

> Browse C:windowsServicePackFilesi386 where wuapi.dll is located.

> Restart the system. Same Access is Denied error

> - Any attempt to "net stop/start wuauserv" returns Access is Denied

>

> Random clues:

>

> %windir%infwuau.adm

> ======================

> I notice in this file it uses,

> KEYNAME "SoftwarePoliciesMicrosoftWindowsWindowsUpdateAU"

> which is a path I don't have under HKLM, does this indicate a problem?

>

> %windir%setupapi.log

> =====================

> #-290 Processing REGISTERDLLS section [AU_dlls]. Binary:

> "%11%wuaueng.dll",

> flags: 0x0001, timeout: 60s.

> #E127 Calling "DllRegisterServer" in OLE Control

> "C:WINDOWSsystem32wuaueng.dll" failed. Error 0x80070005: Access is

> denied. #E291 Failed to register OLE server

> "C:WINDOWSsystem32wuaueng.dll". Error 0x80070005: Access is denied.

>

> %windir%WindowsUpdate.log

> ==========================

> - I added a Trace flag in registry for WindowsUpdate

> (HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace,

> Flags=7, Level=4). Below is the log it generates during reboot.

> ------------------ 8< -----------------------

> 2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error

> 0x80070005

> 2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service

> with

> error 0x80070005

> 2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005) for

> service "wuauserv", permissions = 0x00000004

> 2009-02-06 11:53:20-0800 4080 248 AU service is not running.

> 2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,

> hr=8024000C

> 2009-02-06 11:54:03-0800 1104 af8 AU service is not running.

> 2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed,

> hr=8024000C</span>

<snip>

I found a fix!!!

Thanks for the suggestions. I ran MSRT (20 hrs!), OTListIt2 and Security

Check. Fortunately no malicious software was found. I did run multiple

scans with Norton and AdAware in safe mode before and removed suspicious

softwares. However, there are really useful information from the scan output.

Turns out the Security setting of wuauserv was corrupted. Can't remember

how it happened. But it might have something to do some settings during

multiple scans.

Anyway, I was able to fix it by following steps as descripted here:

http://entwindows.com/forums/forum_posts.asp?tid=2357&pn=2.

Thanks for the help.

James

"PA Bear [MS MVP]" wrote:

<span style="color:blue"><span style="color:green">

> > This seems to happen after I got some spywares, which I removed through

> > scouring registries and cleaning offensive DLLs in system32 directory.</span>

>

> You've got (much) more work to do:

>

> 1. See if you can download/run the MSRT manually:

> http://www.microsoft.com/security/malwareremove/default.mspx

>

> 2. Run this online scan (in safe mode w/networking, if need be):

> http://onecare.live.com/site/en-us/center/howsafe.htm

>

> 3. Run a /thorough/ check for hijackware, including posting the requested

> logs in an appropriate forum.

>

> Checking for/Help with Hijackware

> http://aumha.net/viewtopic.php?f=30&t=4075

> http://mvps.org/winhelp2002/unwanted.htm

> http://inetexplorer.mvps.org/data/prevention.htm

> http://inetexplorer.mvps.org/tshoot.html

> http://www.mvps.org/sramesh2k/Malware_Defence.htm

> http://www.elephantboycomputers.com/page2....emoving_Malware

>

> Post your logs to

> http://spywarehammer.com/simplemachinesfor....php?board=10.0,

> http://forums.spybot.info/forumdisplay.php?f=22,

> http://aumha.net/viewforum.php?f=30, or another appropriate forum for review

> by an expert in such matters, not here.

>

> If the procedures look too complex - and there is no shame in admitting this

> isn't your cup of tea - take the machine to a local, reputable and

> independent (i.e., not BigBoxStoreUSA) computer repair shop.

> =====================

> Start a free Windows Update support incident request:

> https://support.microsoft.com/oas/default.aspx?gprid=6527

>

> Support for Windows Update:

> http://support.microsoft.com/gp/wusupport

>

> For home users, no-charge support is available by calling 1-866-PCSAFETY in

> the United States and in Canada or by contacting your local Microsoft

> subsidiary. There is no-charge for support calls that are associated with

> security updates.

> --

> ~Robear Dyer (PA Bear)

> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> AumHa VSOP & Admin http://aumha.net

> DTS-L http://dts-l.net/

>

>

> James wrote:<span style="color:green">

> > (Windows XP Professional SP3)

> > Apologize in advance for a long message.

> >

> > My Automatic Update is not running, even though "Automatic (recommended)"

> > checkbox is selected in System Properties - Automatic Updates tab.

> >

> > After opening Services (services.msc), Automatic Updates's Description,

> > Status and Startup Type columns are empty. "Log On As" value is Local

> > System.

> >

> > When double clicking or right click -> select Properties on Automatic

> > Updates in Services, I get this message,

> > "Unable to open service Automatic Updates for reading on Local Computer.

> > Error 5: Access is denied."

> >

> > When I go to Windows Update site and try installing updates manually

> > (http://www.update.microsoft.com/windowsupd...t.aspx?ln=en-us),

> > I

> > get "Error number: 0x80070005" during installation after download is

> > complete.

> >

> > This seems to happen after I got some spywares, which I removed through

> > scouring registries and cleaning offensive DLLs in system32 directory.

> >

> > According to many articles indicated, this is a permission problems with

> > potential errors in registry. I tried a number of suggested fixes with no

> > successful result,

> >

> > - Verified BITS is running

> > - Verified I'm in Administrator group

> > - Added Trace Flag in Windows registry

> > - Stopped AdAware daemon. Cannot stop Norton however. But I was able to

> > run Auto Updates before with Norton running

> > - Run 2 commands as suggested in this article,

> > http://www.eggheadcafe.com/software/aspnet...all-record.aspx

> > a) "sc sdset bits ..." returned SUCCESS

> > style_emoticons/ "sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is

> > denied" - Install and run SubInACL tool to repair file and registry

> > permissions

> > (http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx)

> > finish successfully, but same Access error afterwards

> > - Munually re-install Automatic Update client

> > (http://msmvps.com/blogs/athif/pages/49608.aspx)

> > Browse C:windowsServicePackFilesi386 where wuapi.dll is located.

> > Restart the system. Same Access is Denied error

> > - Any attempt to "net stop/start wuauserv" returns Access is Denied

> >

> > Random clues:

> >

> > %windir%infwuau.adm

> > ======================

> > I notice in this file it uses,

> > KEYNAME "SoftwarePoliciesMicrosoftWindowsWindowsUpdateAU"

> > which is a path I don't have under HKLM, does this indicate a problem?

> >

> > %windir%setupapi.log

> > =====================

> > #-290 Processing REGISTERDLLS section [AU_dlls]. Binary:

> > "%11%wuaueng.dll",

> > flags: 0x0001, timeout: 60s.

> > #E127 Calling "DllRegisterServer" in OLE Control

> > "C:WINDOWSsystem32wuaueng.dll" failed. Error 0x80070005: Access is

> > denied. #E291 Failed to register OLE server

> > "C:WINDOWSsystem32wuaueng.dll". Error 0x80070005: Access is denied.

> >

> > %windir%WindowsUpdate.log

> > ==========================

> > - I added a Trace flag in registry for WindowsUpdate

> > (HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace,

> > Flags=7, Level=4). Below is the log it generates during reboot.

> > ------------------ 8< -----------------------

> > 2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error

> > 0x80070005

> > 2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service

> > with

> > error 0x80070005

> > 2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005) for

> > service "wuauserv", permissions = 0x00000004

> > 2009-02-06 11:53:20-0800 4080 248 AU service is not running.

> > 2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,

> > hr=8024000C

> > 2009-02-06 11:54:03-0800 1104 af8 AU service is not running.

> > 2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed,

> > hr=8024000C</span>

> <snip>

>

> </span>

> Turns out the Security setting of wuauserv was corrupted. Can't remember<span style="color:blue">

> how it happened.</span>

That was the work of the hijackware infection(s).

James wrote:<span style="color:blue">

> I found a fix!!!

>

> Thanks for the suggestions. I ran MSRT (20 hrs!), OTListIt2 and Security

> Check. Fortunately no malicious software was found. I did run multiple

> scans with Norton and AdAware in safe mode before and removed suspicious

> softwares. However, there are really useful information from the scan

> output.

>

> Turns out the Security setting of wuauserv was corrupted. Can't remember

> how it happened. But it might have something to do some settings during

> multiple scans.

>

> Anyway, I was able to fix it by following steps as descripted here:

> http://entwindows.com/forums/forum_posts.asp?tid=2357&pn=2.

>

> Thanks for the help.

>

> James

>

>

> "PA Bear [MS MVP]" wrote:

><span style="color:green"><span style="color:darkred">

>>> This seems to happen after I got some spywares, which I removed through

>>> scouring registries and cleaning offensive DLLs in system32 directory.</span>

>>

>> You've got (much) more work to do:

>>

>> 1. See if you can download/run the MSRT manually:

>> http://www.microsoft.com/security/malwareremove/default.mspx

>>

>> 2. Run this online scan (in safe mode w/networking, if need be):

>> http://onecare.live.com/site/en-us/center/howsafe.htm

>>

>> 3. Run a /thorough/ check for hijackware, including posting the requested

>> logs in an appropriate forum.

>>

>> Checking for/Help with Hijackware

>> http://aumha.net/viewtopic.php?f=30&t=4075

>> http://mvps.org/winhelp2002/unwanted.htm

>> http://inetexplorer.mvps.org/data/prevention.htm

>> http://inetexplorer.mvps.org/tshoot.html

>> http://www.mvps.org/sramesh2k/Malware_Defence.htm

>> http://www.elephantboycomputers.com/page2....emoving_Malware

>>

>> Post your logs to

>> http://spywarehammer.com/simplemachinesfor....php?board=10.0,

>> http://forums.spybot.info/forumdisplay.php?f=22,

>> http://aumha.net/viewforum.php?f=30, or another appropriate forum for

>> review by an expert in such matters, not here.

>>

>> If the procedures look too complex - and there is no shame in admitting

>> this isn't your cup of tea - take the machine to a local, reputable and

>> independent (i.e., not BigBoxStoreUSA) computer repair shop.

>> =====================

>> Start a free Windows Update support incident request:

>> https://support.microsoft.com/oas/default.aspx?gprid=6527

>>

>> Support for Windows Update:

>> http://support.microsoft.com/gp/wusupport

>>

>> For home users, no-charge support is available by calling 1-866-PCSAFETY

>> in

>> the United States and in Canada or by contacting your local Microsoft

>> subsidiary. There is no-charge for support calls that are associated

>> with

>> security updates.

>> --

>> ~Robear Dyer (PA Bear)

>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

>> AumHa VSOP & Admin http://aumha.net

>> DTS-L http://dts-l.net/

>>

>>

>> James wrote:<span style="color:darkred">

>>> (Windows XP Professional SP3)

>>> Apologize in advance for a long message.

>>>

>>> My Automatic Update is not running, even though "Automatic

>>> (recommended)"

>>> checkbox is selected in System Properties - Automatic Updates tab.

>>>

>>> After opening Services (services.msc), Automatic Updates's Description,

>>> Status and Startup Type columns are empty. "Log On As" value is Local

>>> System.

>>>

>>> When double clicking or right click -> select Properties on Automatic

>>> Updates in Services, I get this message,

>>> "Unable to open service Automatic Updates for reading on Local Computer.

>>> Error 5: Access is denied."

>>>

>>> When I go to Windows Update site and try installing updates manually

>>> (http://www.update.microsoft.com/windowsupd...t.aspx?ln=en-us),

>>> I

>>> get "Error number: 0x80070005" during installation after download is

>>> complete.

>>>

>>> This seems to happen after I got some spywares, which I removed through

>>> scouring registries and cleaning offensive DLLs in system32 directory.

>>>

>>> According to many articles indicated, this is a permission problems with

>>> potential errors in registry. I tried a number of suggested fixes with

>>> no

>>> successful result,

>>>

>>> - Verified BITS is running

>>> - Verified I'm in Administrator group

>>> - Added Trace Flag in Windows registry

>>> - Stopped AdAware daemon. Cannot stop Norton however. But I was able

>>> to

>>> run Auto Updates before with Norton running

>>> - Run 2 commands as suggested in this article,

>>> http://www.eggheadcafe.com/software/aspnet...all-record.aspx

>>> a) "sc sdset bits ..." returned SUCCESS

>>> style_emoticons/ "sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is

>>> denied" - Install and run SubInACL tool to repair file and registry

>>> permissions

>>> (http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx)

>>> finish successfully, but same Access error afterwards

>>> - Munually re-install Automatic Update client

>>> (http://msmvps.com/blogs/athif/pages/49608.aspx)

>>> Browse C:windowsServicePackFilesi386 where wuapi.dll is located.

>>> Restart the system. Same Access is Denied error

>>> - Any attempt to "net stop/start wuauserv" returns Access is Denied

>>>

>>> Random clues:

>>>

>>> %windir%infwuau.adm

>>> ======================

>>> I notice in this file it uses,

>>> KEYNAME "SoftwarePoliciesMicrosoftWindowsWindowsUpdateAU"

>>> which is a path I don't have under HKLM, does this indicate a problem?

>>>

>>> %windir%setupapi.log

>>> =====================

>>> #-290 Processing REGISTERDLLS section [AU_dlls]. Binary:

>>> "%11%wuaueng.dll",

>>> flags: 0x0001, timeout: 60s.

>>> #E127 Calling "DllRegisterServer" in OLE Control

>>> "C:WINDOWSsystem32wuaueng.dll" failed. Error 0x80070005: Access is

>>> denied. #E291 Failed to register OLE server

>>> "C:WINDOWSsystem32wuaueng.dll". Error 0x80070005: Access is denied.

>>>

>>> %windir%WindowsUpdate.log

>>> ==========================

>>> - I added a Trace flag in registry for WindowsUpdate

>>> (HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace,

>>> Flags=7, Level=4). Below is the log it generates during reboot.

>>> ------------------ 8< -----------------------

>>> 2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error

>>> 0x80070005

>>> 2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service

>>> with

>>> error 0x80070005

>>> 2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005)

>>> for

>>> service "wuauserv", permissions = 0x00000004

>>> 2009-02-06 11:53:20-0800 4080 248 AU service is not running.

>>> 2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,

>>> hr=8024000C

>>> 2009-02-06 11:54:03-0800 1104 af8 AU service is not running.

>>> 2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed,

>>> hr=8024000C</span>

>> <snip> </span></span>

Hello Everyone,

After 3 days of seaching and comparing registries with 3 computers I found

the Fix

Error code 0x80070005 Can not enable Automatic Updates

First Run Malwarbytes and your antivirus program to remove scum viruses.

After Viruses are removed.

Log in to Safe Mode with Administrator Privilages

Click Start >

Run >

Type "regedit" (with out " ")

On the menu bar choose edit > Find > on the text box type "wuauserv" (with

out " "). Remove the check marks named values and Data (only Keys should

remain checked. > click on Find Next

Go through all the keys one at a time and first check its permissions by

right clicking on the key > Permissions > enable FULL CONTROL > CLICK APPLY

NOW ON THE IMAGEPATH CHANGE %fystemroot%\System32\svchost.exe -k netsvcs

to read correctly at "%SystemRoot%\System32\svchost.exe -k netsvcs (only

the S is changed to f). (You do this by right clicking the imagepath on the

right hand side pane and select modify)

HIT the F3 button to Find the next wuauserv key and do the same steps.

check permissions on each key and change if necessary (remember you must be

in SAFE MODE ADMINISTRATOR).

Now do the same steps for the BITS key

Check its permissions and set to Full control if necessary.

Finally, close Registry Editor.

Start > Run > services.msc

find Automatic Udates > Right click > Properties

under START UP TYPE > change to AUTOMATIC

Do the same for Bits if necessary.

And Walla Automatic Updates if back.

How have you determined that just running MBAM removed all traces of the

hijackware that infected your computer?

BayAreaDave wrote:<span style="color:blue">

> Hello Everyone,

>

> After 3 days of seaching and comparing registries with 3 computers I found

> the Fix

>

> Error code 0x80070005 Can not enable Automatic Updates

>

> First Run Malwarbytes and your antivirus program to remove scum viruses.

>

> After Viruses are removed.

>

> Log in to Safe Mode with Administrator Privilages

>

> Click Start >

> Run >

> Type "regedit" (with out " ")

>

> On the menu bar choose edit > Find > on the text box type "wuauserv" (with

> out " "). Remove the check marks named values and Data (only Keys should

> remain checked. > click on Find Next

>

> Go through all the keys one at a time and first check its permissions by

> right clicking on the key > Permissions > enable FULL CONTROL > CLICK

> APPLY

>

> NOW ON THE IMAGEPATH CHANGE %fystemroot%System32svchost.exe -k netsvcs

> to read correctly at "%SystemRoot%System32svchost.exe -k netsvcs (only

> the S is changed to f). (You do this by right clicking the imagepath on

> the

> right hand side pane and select modify)

>

> HIT the F3 button to Find the next wuauserv key and do the same steps.

>

> check permissions on each key and change if necessary (remember you must

> be

> in SAFE MODE ADMINISTRATOR).

>

> Now do the same steps for the BITS key

>

> Check its permissions and set to Full control if necessary.

>

> Finally, close Registry Editor.

>

> Start > Run > services.msc

>

> find Automatic Udates > Right click > Properties

> under START UP TYPE > change to AUTOMATIC

>

> Do the same for Bits if necessary.

>

> And Walla Automatic Updates if back. </span>

After two days and probably 12 hours of working on my final bit of virus

removal for a friend's PC this post helped me take the last few steps to

reenable Windows Update.

Therefore, I'm posting all the major steps I took along with the final

procedure in order to help others out.

This PC had a bad virus situation. It was sending out 50k-60k emails a

day, had software that was disabling security like antivirus programs,

and I couldn't run process explorer or hijackthis on it at first.

Before I got it, the outdated McAffee was run on it and found a bunch

of things. An old version of Spybot was on I had installed. So I

started by getting the latest Spybot S&D which found about 4 malicious

threats. 2 of those came back after cleaning, however.

A web search led me to download Malwarebyte's Anti-malware program,

which was able to remove those 2 viruses and found a few more and

cleaned them. The final problem was that Windows Update was disabled...

thus started a journey of a 1000 steps... or 1000 DOS commands, or

something like that...

So here's the rest of the story on how I got Windows update back up.

It appears to be the same virus others in this thread posted about, but

I had to do a few extra things to get it running, here's the info.

The first part and a few others, are cut and paste from elsewhere with

useful information:

-----------------

Here is perhaps the most definitive (and long-running) conversation

about

that error:

http://groups.google.com/group/micro...4667c09cb402c0

=================

Start a free Windows Update support incident request:

https://support.microsoft.com/oas/de...spx?gprid=6527

Support for Windows Update:

http://support.microsoft.com/gp/wusupport

For home users, no-charge support is available by calling

1-866-PCSAFETY in

the United States and in Canada or by contacting your local Microsoft

subsidiary. There is no-charge for support calls that are associated

with

security updates.

For more information about how to contact your local Microsoft

subsidiary

for security update support issues, visit the International Support

Web

site: http://support.microsoft.com/common/international.aspx

For enterprise customers, support for security updates is available

through

your usual support contacts.

--

~Robear Dyer (PA Bear)

MS MVP-Windows (IE, OE, Security, Shell/User)

AumHa VSOP & Admin; DTS-L.netw

---------------

Finding the permissions problem:

Tried to run dos (cmd) and register all the dlls as per a posting. One

failed:

<span style="color:blue">

> net stop wuauserv

> net stop bits</span>

(neither was started)

<span style="color:blue">

> regsvr32 wuaueng.dll</span>

Message pops up: DllRegistServer in wuaueng.dll failed. Return code

was: 0x80070005

According to many web posts this is a permissions problem.

--------------

Next tried doing a manual reinstall of Windows Update, as follows:

You can install the WindowsUpdageAgent which is available for download

from

http://go.microsoft.com/fwlink/?LinkId=43264 and run the following

command;

WindowsUpdateAgent30-x86.exe /wuforce

I just renamed it to WUA30.exe and ran<span style="color:blue"><span style="color:green">

>> WUA30.exe /wuforce</span></span>

to force the install. The install failed with following error number:

0x8024d007

-----------

At some point around here I tried using the SubInACL tool (see

http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx) to reset

the permissions. This failed to change the affected registry keys for

wuausrv (I wasn't aware of the problem with BITS at this point)

Maybe this would have worked if I had run it in safe mode, but I wasn't

aware of the virus changes to the paths at this point either...

----------------------------

Posted fix in safe mode as Administrator by someone else:

Hello Everyone,

After 3 days of seaching and comparing registries with 3 computers I

found

the Fix

Error code 0x80070005 Can not enable Automatic Updates

First Run Malwarbytes and your antivirus program to remove scum

viruses.

After Viruses are removed.

Log in to Safe Mode with Administrator Privilages

Click Start >

Run >

Type "regedit" (with out " ")

On the menu bar choose edit > Find > on the text box type "wuauserv"

(with

out " "). Remove the check marks named values and Data (only Keys

should

remain checked. > click on Find Next

Go through all the keys one at a time and first check its permissions

by

right clicking on the key > Permissions > enable FULL CONTROL > CLICK

APPLY

NOW ON THE IMAGEPATH CHANGE %fystemroot%\System32\svchost.exe -k

netsvcs

to read correctly at "%SystemRoot%\System32\svchost.exe -k netsvcs

(only

the S is changed to f). (You do this by right clicking the imagepath on

the

right hand side pane and select modify)

HIT the F3 button to Find the next wuauserv key and do the same steps.

check permissions on each key and change if necessary (remember you

must be

in SAFE MODE ADMINISTRATOR).

Now do the same steps for the BITS key

Check its permissions and set to Full control if necessary.

Finally, close Registry Editor.

Start > Run > services.msc

find Automatic Udates > Right click > Properties

under START UP TYPE > change to AUTOMATIC

Do the same for Bits if necessary.

And Walla Automatic Updates if back.

----------------

Some notes, clarification and my final process to fix things on my PC:

It does not have to be the official "Administrator" account as long

as the user you log into in safe mode has Administrator access.

When you do 'find' in regedit is when he means to uncheck the 'values'

and 'data' box. I thought he meant during editing after you get to

the

keys... but these should be the keys that need to be changes. There

may

be additional ones so if it doesn't work try a full search and check

the permissions on every key it finds

The appropriate keys on my machine were:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wuauserv

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BITS

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\wuauserv

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv

Searching for bits and wuauserv found other entries and keys

that were not affected

In these keys the permissions had been changed to only administrator

with only read permission. To get the full list back I did the

following:

- Right click on wuauserv key, choose permissions

- See only administrators in the list.

- Click "Advanced" at the bottom

- Checkbox "Inherit from parent the permission entries that apply to

child

objects. Include these with entries explicitly defined here"

- Click OK

- Click OK

- In the right pane double-click the "ImagePath" key to edit it

- Change the "%fystemroot%" at the beginning of the path to

"%systemroot%"

(the virus had purposely edited it to be misspelled)

- After doing this on ControlSet001 and COntrolSet004 the changes

already

showed up in CurrentControlSet when I got there

In services.msc,

Automatic Updates was set to Automatic startup type

Background Intelligent Transfer service was set to Manual startup type

No need to change either of those

But boot back into windows normal mode and all the permissions are

changed back and the ImagePath values are corrupted again.

So, I go through the virusscan mode again, this time trying the full-on

normal-mode, turnoff system restore, and then rescan in safe mode

method.

1. TURN OFF SYSTEM RESTORE

2. Full scan with Malware - clean

3. Full scan with spybot - clean

4. Reboot into safe mode on an adminstrator-enabled account

5. normal scan with Malware - clean

6. Full scan with McAfee - subscription ran out about 3/2009, 3 months

ago

- found 2 files, I think from heuristic search, one auto-cleaned, I

quarantined the other

7. Now, go back and redo the permissions and path updates on the 6

registry keys

8. This time, however, I opened a dos prompt in safe mode and ran the

regsvr32 wuaueng.dll

- SUCCESS!!

9. I rebooted into normal mode windows and Windows Update was

running.

10. Checked the bad registry keys and they were all still in the

correct new state

So, I'm not sure if it was the 2 files mcaffee found, disabling the

system restore,

or running the regsvr32 command while still in safe mode, but I'm now

up and running.

Just wanted to share the procedure!

--

LightCC

------------------------------------------------------------------------

LightCC's Profile: http://forums.techarena.in/members/104315.htm

View this thread: http://forums.techarena.in/windows-update/1118137.htm

http://forums.techarena.in

> The appropriate keys on my machine were:<span style="color:blue">

>

> HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesBITS

> HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswuauserv

> HKEY_LOCAL_MACHINESYSTEMControlSet004ServicesBITS

> HKEY_LOCAL_MACHINESYSTEMControlSet004Serviceswuauserv

> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBITS

> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv</span>

There should be no ControlSet subkeys numbered higher than 3. The

ControlSet004 was created by the malware.

The only subkey that needs editing is CurrentControlSet.

The other subkeys, ControlSet001 -ControlSet003, are pointed to by

CurrentControlSet.

Although the KB below is for Windows NT, the only difference is that

there is no Clone subkey.

What are Control Sets? What is CurrentControlSet?

http://support.microsoft.com/kb/100010

<span style="color:blue">

> The most valuable and reliable control set is CurrentControlSet. If you need to modify system

> settings in the Registry, CurrentControlSet is the best subkey to choose because you know that it is

> the correct control set. You also know that if your modifications harm your system configuration, you

> will still be able to boot using the last known good control set. </span>

EX: [HKEY_LOCAL_MACHINE\SYSTEM\Select]

"Current"=dword:00000001

"Default"=dword:00000001

"Failed"=dword:00000000

"LastKnownGood"=dword:00000003

If the system fails to boot, upon the restart the boot menu will appear.

The same boot menu shows up when one presses F8 prior to Windows loading

in order to reach Safe Mode.

Choosing the LastKnownGood configuration on the boot menu will load the

last successfully loaded ControlSet, which in this case is ControlSet003.

<span style="color:blue"><span style="color:green">

>> But boot back into windows normal mode and all the permissions are

>> changed back and the ImagePath values are corrupted again.</span></span>

Cleaning a system first will preclude having to reset perms and

imagepath values more than once however, some of the tools needed to

remove most current malwares can be deleterious to the system.

Which is precisely why disabling System Restore should be done as a

last step. It will add time to the scans but ... it's best to have a

rat infested [malware] lifeboat rather than none at all.

Emptying all temp and temporary internet files will cut down on the

scan times without risking a non-boot situation.

Otherwise ... nice writeups LightCC and BayAreaDave.

MowGreen

===============

-343- FDNY

Never Forgotten

===============

LightCC wrote:

<span style="color:blue">

> After two days and probably 12 hours of working on my final bit of virus

> removal for a friend's PC this post helped me take the last few steps to

> reenable Windows Update.

>

> Therefore, I'm posting all the major steps I took along with the final

> procedure in order to help others out.

>

> This PC had a bad virus situation. It was sending out 50k-60k emails a

> day, had software that was disabling security like antivirus programs,

> and I couldn't run process explorer or hijackthis on it at first.

>

> Before I got it, the outdated McAffee was run on it and found a bunch

> of things. An old version of Spybot was on I had installed. So I

> started by getting the latest Spybot S&D which found about 4 malicious

> threats. 2 of those came back after cleaning, however.

>

> A web search led me to download Malwarebyte's Anti-malware program,

> which was able to remove those 2 viruses and found a few more and

> cleaned them. The final problem was that Windows Update was disabled...

> thus started a journey of a 1000 steps... or 1000 DOS commands, or

> something like that...

>

> So here's the rest of the story on how I got Windows update back up.

> It appears to be the same virus others in this thread posted about, but

> I had to do a few extra things to get it running, here's the info.

>

> The first part and a few others, are cut and paste from elsewhere with

> useful information:

>

> -----------------

>

> Here is perhaps the most definitive (and long-running) conversation

> about

> that error:

> http://groups.google.com/group/micro...4667c09cb402c0

> =================

> Start a free Windows Update support incident request:

> https://support.microsoft.com/oas/de...spx?gprid=6527

>

> Support for Windows Update:

> http://support.microsoft.com/gp/wusupport

>

> For home users, no-charge support is available by calling

> 1-866-PCSAFETY in

> the United States and in Canada or by contacting your local Microsoft

> subsidiary. There is no-charge for support calls that are associated

> with

> security updates.

>

> For more information about how to contact your local Microsoft

> subsidiary

> for security update support issues, visit the International Support

> Web

> site: http://support.microsoft.com/common/international.aspx

>

> For enterprise customers, support for security updates is available

> through

> your usual support contacts.

> --

> ~Robear Dyer (PA Bear)

> MS MVP-Windows (IE, OE, Security, Shell/User)

> AumHa VSOP & Admin; DTS-L.netw

>

>

>

> ---------------

>

> Finding the permissions problem:

>

> Tried to run dos (cmd) and register all the dlls as per a posting. One

> failed:

>

> <span style="color:green">

>>net stop wuauserv

>>net stop bits</span>

>

>

> (neither was started)

>

> <span style="color:green">

>>regsvr32 wuaueng.dll</span>

>

>

> Message pops up: DllRegistServer in wuaueng.dll failed. Return code

> was: 0x80070005

>

> According to many web posts this is a permissions problem.

>

> --------------

>

> Next tried doing a manual reinstall of Windows Update, as follows:

>

> You can install the WindowsUpdageAgent which is available for download

> from

> http://go.microsoft.com/fwlink/?LinkId=43264 and run the following

> command;

>

> WindowsUpdateAgent30-x86.exe /wuforce

>

>

> I just renamed it to WUA30.exe and ran

> <span style="color:green"><span style="color:darkred">

>>>WUA30.exe /wuforce</span></span>

>

> to force the install. The install failed with following error number:

> 0x8024d007

>

> -----------

>

> At some point around here I tried using the SubInACL tool (see

> http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx) to reset

> the permissions. This failed to change the affected registry keys for

> wuausrv (I wasn't aware of the problem with BITS at this point)

>

> Maybe this would have worked if I had run it in safe mode, but I wasn't

> aware of the virus changes to the paths at this point either...

>

> ----------------------------

>

> Posted fix in safe mode as Administrator by someone else:

>

> Hello Everyone,

>

> After 3 days of seaching and comparing registries with 3 computers I

> found

> the Fix

>

> Error code 0x80070005 Can not enable Automatic Updates

>

> First Run Malwarbytes and your antivirus program to remove scum

> viruses.

>

> After Viruses are removed.

>

> Log in to Safe Mode with Administrator Privilages

>

> Click Start >

> Run >

> Type "regedit" (with out " ")

>

> On the menu bar choose edit > Find > on the text box type "wuauserv"

> (with

> out " "). Remove the check marks named values and Data (only Keys

> should

> remain checked. > click on Find Next

>

> Go through all the keys one at a time and first check its permissions

> by

> right clicking on the key > Permissions > enable FULL CONTROL > CLICK

> APPLY

>

> NOW ON THE IMAGEPATH CHANGE %fystemroot%System32svchost.exe -k

> netsvcs

> to read correctly at "%SystemRoot%System32svchost.exe -k netsvcs

> (only

> the S is changed to f). (You do this by right clicking the imagepath on

> the

> right hand side pane and select modify)

>

> HIT the F3 button to Find the next wuauserv key and do the same steps.

>

> check permissions on each key and change if necessary (remember you

> must be

> in SAFE MODE ADMINISTRATOR).

>

> Now do the same steps for the BITS key

>

> Check its permissions and set to Full control if necessary.

>

> Finally, close Registry Editor.

>

> Start > Run > services.msc

>

> find Automatic Udates > Right click > Properties

> under START UP TYPE > change to AUTOMATIC

>

> Do the same for Bits if necessary.

>

> And Walla Automatic Updates if back.

>

>

> ----------------

>

> Some notes, clarification and my final process to fix things on my PC:

>

>

> It does not have to be the official "Administrator" account as long

> as the user you log into in safe mode has Administrator access.

>

> When you do 'find' in regedit is when he means to uncheck the 'values'

> and 'data' box. I thought he meant during editing after you get to

> the

> keys... but these should be the keys that need to be changes. There

> may

> be additional ones so if it doesn't work try a full search and check

> the permissions on every key it finds

>

> The appropriate keys on my machine were:

>

> HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesBITS

> HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswuauserv

> HKEY_LOCAL_MACHINESYSTEMControlSet004ServicesBITS

> HKEY_LOCAL_MACHINESYSTEMControlSet004Serviceswuauserv

> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesBITS

> HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceswuauserv

>

> Searching for bits and wuauserv found other entries and keys

> that were not affected

>

> In these keys the permissions had been changed to only administrator

> with only read permission. To get the full list back I did the

> following:

>

> - Right click on wuauserv key, choose permissions

> - See only administrators in the list.

> - Click "Advanced" at the bottom

> - Checkbox "Inherit from parent the permission entries that apply to

> child

> objects. Include these with entries explicitly defined here"

> - Click OK

> - Click OK

>

> - In the right pane double-click the "ImagePath" key to edit it

> - Change the "%fystemroot%" at the beginning of the path to

> "%systemroot%"

> (the virus had purposely edited it to be misspelled)

> - After doing this on ControlSet001 and COntrolSet004 the changes

> already

> showed up in CurrentControlSet when I got there

>

> In services.msc,

> Automatic Updates was set to Automatic startup type

> Background Intelligent Transfer service was set to Manual startup type

>

> No need to change either of those

>

> But boot back into windows normal mode and all the permissions are

> changed back and the ImagePath values are corrupted again.

>

> So, I go through the virusscan mode again, this time trying the full-on

> normal-mode, turnoff system restore, and then rescan in safe mode

> method.

>

> 1. TURN OFF SYSTEM RESTORE

> 2. Full scan with Malware - clean

> 3. Full scan with spybot - clean

>

> 4. Reboot into safe mode on an adminstrator-enabled account

>

> 5. normal scan with Malware - clean

> 6. Full scan with McAfee - subscription ran out about 3/2009, 3 months

> ago

>

> - found 2 files, I think from heuristic search, one auto-cleaned, I

> quarantined the other

>

> 7. Now, go back and redo the permissions and path updates on the 6

> registry keys

> 8. This time, however, I opened a dos prompt in safe mode and ran the

> regsvr32 wuaueng.dll

> - SUCCESS!!

>

> 9. I rebooted into normal mode windows and Windows Update was

> running.

> 10. Checked the bad registry keys and they were all still in the

> correct new state

>

> So, I'm not sure if it was the 2 files mcaffee found, disabling the

> system restore,

> or running the regsvr32 command while still in safe mode, but I'm now

> up and running.

>

> Just wanted to share the procedure!

>

> </span>

Hi james

would u like tell the method which can fix this update error ?

The link" http://entwindows.com/................." which u give can not open.

also can mail to simon.meng@the-ascott.com

thanks a lot for ur help

"James" wrote:

<span style="color:blue">

> I found a fix!!!

>

> Thanks for the suggestions. I ran MSRT (20 hrs!), OTListIt2 and Security

> Check. Fortunately no malicious software was found. I did run multiple

> scans with Norton and AdAware in safe mode before and removed suspicious

> softwares. However, there are really useful information from the scan output.

>

> Turns out the Security setting of wuauserv was corrupted. Can't remember

> how it happened. But it might have something to do some settings during

> multiple scans.

>

> Anyway, I was able to fix it by following steps as descripted here:

> http://entwindows.com/forums/forum_posts.asp?tid=2357&pn=2.

>

> Thanks for the help.

>

> James

>

>

> "PA Bear [MS MVP]" wrote:

> <span style="color:green"><span style="color:darkred">

> > > This seems to happen after I got some spywares, which I removed through

> > > scouring registries and cleaning offensive DLLs in system32 directory.</span>

> >

> > You've got (much) more work to do:

> >

> > 1. See if you can download/run the MSRT manually:

> > http://www.microsoft.com/security/malwareremove/default.mspx

> >

> > 2. Run this online scan (in safe mode w/networking, if need be):

> > http://onecare.live.com/site/en-us/center/howsafe.htm

> >

> > 3. Run a /thorough/ check for hijackware, including posting the requested

> > logs in an appropriate forum.

> >

> > Checking for/Help with Hijackware

> > http://aumha.net/viewtopic.php?f=30&t=4075

> > http://mvps.org/winhelp2002/unwanted.htm

> > http://inetexplorer.mvps.org/data/prevention.htm

> > http://inetexplorer.mvps.org/tshoot.html

> > http://www.mvps.org/sramesh2k/Malware_Defence.htm

> > http://www.elephantboycomputers.com/page2....emoving_Malware

> >

> > Post your logs to

> > http://spywarehammer.com/simplemachinesfor....php?board=10.0,

> > http://forums.spybot.info/forumdisplay.php?f=22,

> > http://aumha.net/viewforum.php?f=30, or another appropriate forum for review

> > by an expert in such matters, not here.

> >

> > If the procedures look too complex - and there is no shame in admitting this

> > isn't your cup of tea - take the machine to a local, reputable and

> > independent (i.e., not BigBoxStoreUSA) computer repair shop.

> > =====================

> > Start a free Windows Update support incident request:

> > https://support.microsoft.com/oas/default.aspx?gprid=6527

> >

> > Support for Windows Update:

> > http://support.microsoft.com/gp/wusupport

> >

> > For home users, no-charge support is available by calling 1-866-PCSAFETY in

> > the United States and in Canada or by contacting your local Microsoft

> > subsidiary. There is no-charge for support calls that are associated with

> > security updates.

> > --

> > ~Robear Dyer (PA Bear)

> > MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002

> > AumHa VSOP & Admin http://aumha.net

> > DTS-L http://dts-l.net/

> >

> >

> > James wrote:<span style="color:darkred">

> > > (Windows XP Professional SP3)

> > > Apologize in advance for a long message.

> > >

> > > My Automatic Update is not running, even though "Automatic (recommended)"

> > > checkbox is selected in System Properties - Automatic Updates tab.

> > >

> > > After opening Services (services.msc), Automatic Updates's Description,

> > > Status and Startup Type columns are empty. "Log On As" value is Local

> > > System.

> > >

> > > When double clicking or right click -> select Properties on Automatic

> > > Updates in Services, I get this message,

> > > "Unable to open service Automatic Updates for reading on Local Computer.

> > > Error 5: Access is denied."

> > >

> > > When I go to Windows Update site and try installing updates manually

> > > (http://www.update.microsoft.com/windowsupd...t.aspx?ln=en-us),

> > > I

> > > get "Error number: 0x80070005" during installation after download is

> > > complete.

> > >

> > > This seems to happen after I got some spywares, which I removed through

> > > scouring registries and cleaning offensive DLLs in system32 directory.

> > >

> > > According to many articles indicated, this is a permission problems with

> > > potential errors in registry. I tried a number of suggested fixes with no

> > > successful result,

> > >

> > > - Verified BITS is running

> > > - Verified I'm in Administrator group

> > > - Added Trace Flag in Windows registry

> > > - Stopped AdAware daemon. Cannot stop Norton however. But I was able to

> > > run Auto Updates before with Norton running

> > > - Run 2 commands as suggested in this article,

> > > http://www.eggheadcafe.com/software/aspnet...all-record.aspx

> > > a) "sc sdset bits ..." returned SUCCESS

> > > style_emoticons/ "sc sdset wuauserv ..." returned "OpenService FAILED 5: Access is

> > > denied" - Install and run SubInACL tool to repair file and registry

> > > permissions

> > > (http://blogs.msdn.com/astebner/archive/200.../04/739820.aspx)

> > > finish successfully, but same Access error afterwards

> > > - Munually re-install Automatic Update client

> > > (http://msmvps.com/blogs/athif/pages/49608.aspx)

> > > Browse C:windowsServicePackFilesi386 where wuapi.dll is located.

> > > Restart the system. Same Access is Denied error

> > > - Any attempt to "net stop/start wuauserv" returns Access is Denied

> > >

> > > Random clues:

> > >

> > > %windir%infwuau.adm

> > > ======================

> > > I notice in this file it uses,

> > > KEYNAME "SoftwarePoliciesMicrosoftWindowsWindowsUpdateAU"

> > > which is a path I don't have under HKLM, does this indicate a problem?

> > >

> > > %windir%setupapi.log

> > > =====================

> > > #-290 Processing REGISTERDLLS section [AU_dlls]. Binary:

> > > "%11%wuaueng.dll",

> > > flags: 0x0001, timeout: 60s.

> > > #E127 Calling "DllRegisterServer" in OLE Control

> > > "C:WINDOWSsystem32wuaueng.dll" failed. Error 0x80070005: Access is

> > > denied. #E291 Failed to register OLE server

> > > "C:WINDOWSsystem32wuaueng.dll". Error 0x80070005: Access is denied.

> > >

> > > %windir%WindowsUpdate.log

> > > ==========================

> > > - I added a Trace flag in registry for WindowsUpdate

> > > (HKLMSOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace,

> > > Flags=7, Level=4). Below is the log it generates during reboot.

> > > ------------------ 8< -----------------------

> > > 2009-02-06 11:52:47-0800 4708 16f4 OpenService failed with error

> > > 0x80070005

> > > 2009-02-06 11:52:47-0800 4708 16f4 WU client fail to create WU service

> > > with

> > > error 0x80070005

> > > 2009-02-06 11:53:20-0800 4080 248 OpenNamedService failed (0x80070005) for

> > > service "wuauserv", permissions = 0x00000004

> > > 2009-02-06 11:53:20-0800 4080 248 AU service is not running.

> > > 2009-02-06 11:53:20-0800 4080 248 WUCheckForUpdatesAtShutdown failed,

> > > hr=8024000C

> > > 2009-02-06 11:54:03-0800 1104 af8 AU service is not running.

> > > 2009-02-06 11:54:03-0800 1104 af8 WUAutoUpdateAtShutdown failed,

> > > hr=8024000C</span>

> > <snip>

> >

> > </span></span>

http://entwindows.com/forums/forum_posts.asp?tid=2357&pn=2

Try that link, simon.

MowGreen

===============

-343- FDNY

Never Forgotten

===============

banthecheck.com

"Security updates should not have non-security content prechecked"

simon wrote:

<span style="color:blue">

> Hi james

>

> would u like tell the method which can fix this update error ?

> The link" http://entwindows.com/................." which u give can not open.

> also can mail to simon.meng@the-ascott.com

> thanks a lot for ur help

>

>

>

> "James" wrote:

>

> <span style="color:green">

>>I found a fix!!!

>>

>>Thanks for the suggestions. I ran MSRT (20 hrs!), OTListIt2 and Security

>>Check. Fortunately no malicious software was found. I did run multiple

>>scans with Norton and AdAware in safe mode before and removed suspicious

>>softwares. However, there are really useful information from the scan output.

>>

>>Turns out the Security setting of wuauserv was corrupted. Can't remember

>>how it happened. But it might have something to do some settings during

>>multiple scans.

>>

>>Anyway, I was able to fix it by following steps as descripted here:

>>http://entwindows.com/forums/forum_posts.asp?tid=2357&pn=2.

>>

>>Thanks for the help.

>>

>>James

>>

>></span></span>

THANK YOU THANK YOU THANK YOU!

Specifically BayAreaDave and LightCC...

I must have spent about 8 hours total researching and trying different

things for this fix and the information on here fixed the problem for

me. I created this account just to thank you guys. Automatic Updates

is running fine now.

--

chrishongrocks

------------------------------------------------------------------------

chrishongrocks's Profile: http://forums.techarena.in/members/136761.htm

View this thread: http://forums.techarena.in/windows-update/1118137.htm

http://forums.techarena.in