Defending yourself against Microsoft

Keeping Windows Update at bay

Yesterday I wrote that Windows is malware. I said this because:

Microsoft can and will update your copy of Windows whenever they feel like it, regardless of your wishes. And, they feel no obligation to tell you what they've done. Your computer is just a zombie to them.

Defending yourself against Microsoft involves turning off automatic updates and that's what this posting is about.

At first glance, turning off Automatic Updates seems simple enough. In Windows XP, you go to the Control Panel, then System, then the Automatic Updates tab and click on the radio button to turn off automatic updates (as shown below). But Windows is lying to you, simply doing this does not turn off Automatic Updates.

The thing that actually installs bug fixes is a component of Windows called the Automatic Updates service. A service is a computer program that runs in the background, so you're not aware that it's there. You may not even see it listed on the Processes tab of Task Manager. A single instance of the svchost.exe process hosts from one to many different services.

Windows consists of many services, the XP machine I'm using to write this posting has over 90. Some services directly translate to a visible feature of Windows. For example, if you have ever used Windows to configure a WiFi connection, then you've been communicating with the Wireless Zero Configuration service. The Automatic Updates service is the one that handles patches to Windows. The name sounds better than the Automatic Bug Fix Service, but that's what it is.

At any point in time a service is either started (on) or stopped (off). A computer that does not use WiFi, for example, should have this service turned off since it won't be needed.

When Windows starts up, it turns on some services and does not turn on others, depending on an attribute of the service called the Startup Type. If the Startup Type is Automatic, the service is automatically started when Windows boots. If the Startup Type is either Manual or Disabled, the service is not started.

A Manual service can be started by another service on an as-needed basis. A Disabled service can not be started until the Startup Type is changed to either Manual or Automatic.

When I said earlier that Windows is lying to you, I meant that even when Automatic Updates are turned off in the Services applet in the Control Panel, the underlying Automatic Updates service remains on. This is why Microsoft can update your computer whenever they feel like it.

To defend against the Borg Microsoft, disable the Automatic Updates service.

In Windows XP, go to the Control Panel, then Administrative Tools, then Services. You'll see a window like that above, listing each service, its current Status and Startup Type. A blank status means the service is not running (off), a status of "Started" means that it is (on). Get the properties of the Automatic Updates service and change the startup type to disabled (see below).

Interestingly, disabling a service does not stop it, if it's already running. If you want, you can also stop the current instance of the service, but the more important point is that the next time Windows starts up, it will be off. And it will remain off/disabled until you manually change the Startup Type.

But, sometimes you want to install Windows bug fixes.

To do so, you need to change the startup type of the Automatic Updates service to Automatic and then start the service. Interestingly, the Windows Update web site will not function if the Automatic Updates service is running but the startup type is set to Manual. Microsoft really wants this service running all the time. I wonder why.

When you are done installing bug fixes, stop and disable the Automatic Updates service until next time. Note that the Background Intelligent Transfer service is also required for Windows Update to function, but it works fine, in Windows XP, with a Startup Type of Manual.

Interestingly, this has always been my advice for dealing with automatic updates. At first, my opinion was based simply on the fact that I prefer to run Windows Update manually, so there is no need to have the Automatic Updates service running. Then, my opinion was strengthened by a bug in the Automatic Updates service that caused the poor processor to run at 100% usage rendering your computer slow as molasses.

And now this.

Update: September 16, 2007. Clarified the point that disabling a running service does not stop the current instance of that service.