Yesterday when I booted by PC and prior to receiving a task bar popup that WINUpdates had updates available, I received a popup notification from Defense+ that spupdsvc.exe wanted to update my registry. I disallowed the request initially and then subsequently received a task bar popup that WINUpdates were available. I allowed the download and installed the updates and verified they were installed correctly via Event Manager.
Next, I modified the custom rule for services.exe in Defense+ to allow registry mods to HKLM\SYSTEM\ControlSet001\Services\spupdsvc for Protected Registry Keys. Prior to rebooting, I verified that the above registry key was indeed present in my Registry and that it was for the run once feature XP uses to inform that a reboot is required. I then rebooted and subsequently verified that the key was removed from the Registry.
Now the evening of the prior day, I had manually done a WinUpdate and installed a new ver. of WIN mediaplayer, etc. I did not receive any notice to reboot as I recall. I am wondering if all this is related to that event? I also installed Prevx SafeOnline that same day.
Anyway, I need to know what i have to do in Defense+ to facilitate spupdsvc.exe. Do I have to add a rule for it and treat it as updater/installer? I do realize that malware can use this to install itself at boot time - correct?
Description: spupdsvc.exe is a process which belongs to the Microsoft Update RunOnce Service. This program is non-essential process to the running of the Windows XP operating system.
In the software developer world it is known as one of the “Package Installer-related Files” and is referred to as a Windows service that runs after a reboot if the installation requires processes to be executed after a reboot.
My question. Is “Next, I modified the custom rule for services.exe in Defense+ to allow registry mods to HKLM\SYSTEM\ControlSet001\Services\spupdsvc for Protected Registry Keys.” OK to keep as is? Also why did not Defense+ auto generate this if it is a “safe” application?
I am a bit curious as to why I have never received this alert from Defense+ on previous WINUpdates of which has done many times to date?
I also noticed an HKLM\SYSTEM\ControlSet001\Services\nosGetPlusHelper for Services.exe allow registry mods rule that is even more puzzeling.
There is no problem with giving services.exe that right. Services.exe will always ask. That is by design. Every process can call services.exe to let it create service autoruns. That’s why the user has the last say.
I am a bit curious as to why I have never received this alert from Defense+ on previous WINUpdates of which has done many times to date?
Couldn't think of one either right now (02:42 here).
I also noticed an HKLM\SYSTEM\ControlSet001\Services\nosGetPlusHelper for Services.exe allow registry mods rule that is even more puzzeling.
I think you must have done that yourself you forgot. Is this only in ControlSet001? Not in CurrentControlSet? To what program does nosGetPlusHelper belong?
Humm … Occured to me that this activity started after I installed Prevx SafeOnline. This was the first WINUpdates I had done manually with Prevx installed. I suspect it’s boot processing might do something to run once at boot processes such as the one WINUpdates initiates on occasion. Probably best to turn off Prevx when doing WINUpdates manually. Ditto for many malware removers that require a reboot to complete their “cleaning” processing.
Many of the new HIPS like Prevx, Defensewall, and the like seem to choke on WINUpdates.