Home / server / Questions / 169532
Accepted
Luke
Asked: 2010-08-12 13:39:43 +0800 CST

Any way to identify what user account launched Windows Update?

  • 772

I'm doing some forensics to try to figure out which noob updated and rebooted a critical server at the most inopportune moment. Is there any way to determine the user account that launched Windows Update? Specifically on Windows Server 2003.

windows windows-server-2003 windows-update

3 Answers

  1. Best Answer

    In my opinion it's more important to make sure that the appropriate controls, understanding, and policies are in place to prevent this from happening again. Make it known to the entire admin group about what happened, why it was the wrong thing to do at the wrong time, why it can't ever happen again, etc., etc.

    Too often, companies are focused on spilling blood when mistakes are made (you may be under pressure from the higher-ups to find the culprit) instead of focusing on correcting and preventing the mistakes. Too much finger pointing creates a toxic work environment and leads to poor work, low morale and productivity, and high turnover.

    • 6

  2. For a Server 2003 machine, in the System event log, you are likely to see a bunch of 4377 events associated with a username at the time the updates were installed. Possibly some 7035 events (services starting) as well. These may be more useful to you than anything you would find in the Security event log.

    It's entirely possible that one of your newbies installed the updates and the other one accidentally clicked "Yes" on a reboot prompt. But, critical servers should never be updated during production hours: even if the restart is postponed, the update process itself has the potential to disrupt services. For example, services that use the .NET framework may be stopped by .NET updates even if the reboot is postponed.

    I definitely agree with @joeqwerty's assessment that this is ultimately about the policies and controls that your IT organization has in place.

    • 2

  3. I managed to find out by running windowsupdate.log from the run box and CTRL+F for our IT users, doesn't neccesarily help for a large companies with hundreds of IT users however for a smaller company with a smaller internal team it was quick to find who had run the update. Showed the following (have stripped out the username with "USERNAMEHERE":

    2016-11-06  09:38:19:591    1020    c40 AU  All updates already downloaded, setting percent complete to 100
2016-11-06  09:38:21:599    1020    15a4    AU  All updates already downloaded, setting percent complete to 100
2016-11-06  09:38:21:601    1020    18c0    Handler Attempting to create remote handler process as "USERNAME HERE" in session 3
2016-11-06  09:38:21:794    1020    18c0    DnldMgr Preparing update for install, updateId = {12C7A5E2-8CE1-47F6-9203-202C83A4AEFC}.200.
2016-11-06  09:38:21:858    3692    13e0    Misc    ===========  Logging initialized (build: 7.6.7600.256, tz: -0000)  ===========
2016-11-06  09:38:21:858    3692    13e0    Misc      = Process: C:\Windows\system32\wuauclt.exe
2016-11-06  09:38:21:858    3692    13e0    Misc      = Module: C:\Windows\system32\wuaueng.dll
    • 2