Any way to identify what user account launched Windows Update?

windows windows-server-2003 windows-update
12,350

Solution 1

In my opinion it's more important to make sure that the appropriate controls, understanding, and policies are in place to prevent this from happening again. Make it known to the entire admin group about what happened, why it was the wrong thing to do at the wrong time, why it can't ever happen again, etc., etc.

Too often, companies are focused on spilling blood when mistakes are made (you may be under pressure from the higher-ups to find the culprit) instead of focusing on correcting and preventing the mistakes. Too much finger pointing creates a toxic work environment and leads to poor work, low morale and productivity, and high turnover.

Solution 2

For a Server 2003 machine, in the System event log, you are likely to see a bunch of 4377 events associated with a username at the time the updates were installed. Possibly some 7035 events (services starting) as well. These may be more useful to you than anything you would find in the Security event log.

It's entirely possible that one of your newbies installed the updates and the other one accidentally clicked "Yes" on a reboot prompt. But, critical servers should never be updated during production hours: even if the restart is postponed, the update process itself has the potential to disrupt services. For example, services that use the .NET framework may be stopped by .NET updates even if the reboot is postponed.

I definitely agree with @joeqwerty's assessment that this is ultimately about the policies and controls that your IT organization has in place.

Solution 3

I managed to find out by running windowsupdate.log from the run box and CTRL+F for our IT users, doesn't neccesarily help for a large companies with hundreds of IT users however for a smaller company with a smaller internal team it was quick to find who had run the update. Showed the following (have stripped out the username with "USERNAMEHERE":

2016-11-06  09:38:19:591    1020    c40 AU  All updates already downloaded, setting percent complete to 100
2016-11-06  09:38:21:599    1020    15a4    AU  All updates already downloaded, setting percent complete to 100
2016-11-06  09:38:21:601    1020    18c0    Handler Attempting to create remote handler process as "USERNAME HERE" in session 3
2016-11-06  09:38:21:794    1020    18c0    DnldMgr Preparing update for install, updateId = {12C7A5E2-8CE1-47F6-9203-202C83A4AEFC}.200.
2016-11-06  09:38:21:858    3692    13e0    Misc    ===========  Logging initialized (build: 7.6.7600.256, tz: -0000)  ===========
2016-11-06  09:38:21:858    3692    13e0    Misc      = Process: C:\Windows\system32\wuauclt.exe
2016-11-06  09:38:21:858    3692    13e0    Misc      = Module: C:\Windows\system32\wuaueng.dll
Share:
12,350

Related videos on Youtube

Luke
Author by

Luke

Updated on September 17, 2022

Comments

  • Luke
    Luke almost 2 years

    I'm doing some forensics to try to figure out which noob updated and rebooted a critical server at the most inopportune moment. Is there any way to determine the user account that launched Windows Update? Specifically on Windows Server 2003.

    • Admin
      Admin almost 14 years
      First place I'd check is the Security Event log and see who was logged in at the time.
    • Luke
      Luke almost 14 years
      Unfortunately two users were logged in at the time and they're both pointing fingers in the other direction. This isn't motivated by upper management, I just want to know whose hand I should be holding in the future. And yes, maybe one is so smart that they faked the logs, but I doubt it. I suppose the best answer may be both!
  • Luke
    Luke almost 14 years
    See comment above.
  • joeqwerty
    joeqwerty almost 14 years
    Gotcha. Maybe a conversation with both (simultaneously) is in order. The corporate culture in America is one mostly of fear. I've been there and it took me many years to get to the point where I just said "Yeah, I made a mistake. Here's what happened and here's what I'm doing to prevent it from happening again".

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Check windows updates on windows 2003 server with a server operator account
What host names and ports would need to be opened in a firewall to allow Windows Updates to work?
Uninstalling Windows Hotfix via C# or PowerShell
Installing PHP 5 on Windows Server 2003 - %1 is not a valid Win32 application
How to move/copy Windows 2003 Server scheduled task to Windows 2012 Server?
Echoing in the same line
Windows 10 Update Failure (2021-05 Version 20H2) KB5003173
Problems with Windows Update on Server 2012 R2
Update to Windows 10 version 1709 is stuck, how can I fix it?
Error 0x80070643 - Can't get the update