Any way to identify what user account launched Windows Update?
Solution 1
In my opinion it's more important to make sure that the appropriate controls, understanding, and policies are in place to prevent this from happening again. Make it known to the entire admin group about what happened, why it was the wrong thing to do at the wrong time, why it can't ever happen again, etc., etc.
Too often, companies are focused on spilling blood when mistakes are made (you may be under pressure from the higher-ups to find the culprit) instead of focusing on correcting and preventing the mistakes. Too much finger pointing creates a toxic work environment and leads to poor work, low morale and productivity, and high turnover.
Solution 2
For a Server 2003 machine, in the System event log, you are likely to see a bunch of 4377 events associated with a username at the time the updates were installed. Possibly some 7035 events (services starting) as well. These may be more useful to you than anything you would find in the Security event log.
It's entirely possible that one of your newbies installed the updates and the other one accidentally clicked "Yes" on a reboot prompt. But, critical servers should never be updated during production hours: even if the restart is postponed, the update process itself has the potential to disrupt services. For example, services that use the .NET framework may be stopped by .NET updates even if the reboot is postponed.
I definitely agree with @joeqwerty's assessment that this is ultimately about the policies and controls that your IT organization has in place.
Solution 3
I managed to find out by running windowsupdate.log from the run box and CTRL+F for our IT users, doesn't neccesarily help for a large companies with hundreds of IT users however for a smaller company with a smaller internal team it was quick to find who had run the update. Showed the following (have stripped out the username with "USERNAMEHERE":
2016-11-06 09:38:19:591 1020 c40 AU All updates already downloaded, setting percent complete to 100
2016-11-06 09:38:21:599 1020 15a4 AU All updates already downloaded, setting percent complete to 100
2016-11-06 09:38:21:601 1020 18c0 Handler Attempting to create remote handler process as "USERNAME HERE" in session 3
2016-11-06 09:38:21:794 1020 18c0 DnldMgr Preparing update for install, updateId = {12C7A5E2-8CE1-47F6-9203-202C83A4AEFC}.200.
2016-11-06 09:38:21:858 3692 13e0 Misc =========== Logging initialized (build: 7.6.7600.256, tz: -0000) ===========
2016-11-06 09:38:21:858 3692 13e0 Misc = Process: C:\Windows\system32\wuauclt.exe
2016-11-06 09:38:21:858 3692 13e0 Misc = Module: C:\Windows\system32\wuaueng.dll
Related videos on Youtube
Luke
Updated on September 17, 2022Comments
-
Luke almost 2 years
I'm doing some forensics to try to figure out which noob updated and rebooted a critical server at the most inopportune moment. Is there any way to determine the user account that launched Windows Update? Specifically on Windows Server 2003.
-
Admin almost 14 yearsFirst place I'd check is the Security Event log and see who was logged in at the time.
-
Luke almost 14 yearsUnfortunately two users were logged in at the time and they're both pointing fingers in the other direction. This isn't motivated by upper management, I just want to know whose hand I should be holding in the future. And yes, maybe one is so smart that they faked the logs, but I doubt it. I suppose the best answer may be both!
-
-
Luke almost 14 yearsSee comment above.
-
joeqwerty almost 14 yearsGotcha. Maybe a conversation with both (simultaneously) is in order. The corporate culture in America is one mostly of fear. I've been there and it took me many years to get to the point where I just said "Yeah, I made a mistake. Here's what happened and here's what I'm doing to prevent it from happening again".