May 13, 2017  Update Orchestrator Service run amok. Today (six days after allowing the 'Anniversary Update'), the Update Orchestrator Service for Windows Update began using 25%+ of my CPU, more power than my Surface Book i7 can charge from a 12V supply! Restart would stop it for a few minutes, but it would begin again by itself. That desktop PC, and with windows 10 1709 Enterprise on it, nothing serious have been tweaked about updates (some tweaks to not install updates automatically in Group Policy), no Network Domain/AD used. So this is normal? As far I know that Update orchestrator does not used in common editions.

Michael Horowitz

[Formatted for Printing]

From the personal web site of Michael Horowitz

Killing Windows Update on Windows 10 - a cheat sheet

Initial release: December 5, 2018 Last Updated: January 8, 2019
Comments on this article are at askwoody.com.

Microsoft can not conceive of a valid reason for a Windows 10 user not to want the latest bug fixes. Bug fixes good, is their corporate mantra. They are, however, wrong. Not only are there many instances where stability trumps patches, they have shown over and over again that their patches are not to be trusted. Just this week, Windows 10 bug fixes caused the Surface Book 2 to crash.

My recent blog Defending against Windows 10 bug fixes discussed many options for postponing bug fixes but none, other than keeping the computer off-line, are foolproof. The most interesting section of that very long blog is A full frontal attack on Windows Update. This is a simplified, cheat sheet, version of that section.

Back on Windows 7, it was so much easier to disable Windows Update, there was just one service to worry about. Those were the good old days. With Windows 10, there are three aspects to disabling Windows Update: shutting down multiple Services, disabling many Scheduled Tasks and preventing the parts of Windows Update that can not be easily shut down from phoning home. Microsoft has limited the first two options, some services and started tasks can not be disabled, even by Administrative users. And, like the Walking Dead, some services and tasks that we can disable, get re-enabled over time by the ones that can not be disabled. That leaves the Windows Firewall as our biggest hammer.

Every Windows Service and Scheduled Task referred to below is not installed on every Windows 10 machine. This is because Windows Update keeps changing, in large part, to prevent people from doing just this.

Note that this is not well worn territory, and I do not claim to be an expert on Windows Update.

SERVICES

Try to disable all the services involved with Windows Update.

You should be able to disable the legacy Windows Update Service (wuauserv) and the Windows Remediation Service (sedsvc).

Windows 10 Update Facilitation Service (osrss) can not be stopped or disabled.

My experience with the other two services (Update Orchestrator Service (UsoSvc) and Windows Update Medic Service (WaaSMedicSvc) has been inconsistent.

SCHEDULED TASKS

As with Services, try to disable all the Scheduled Tasks you can. Note that whatever software you use to deal with scheduled tasks, it must run as an Admin user. There are some tasks that restricted/standard users can not even see. (Updated Dec 8, 2018)

1. AC Power Download can not be disabled
2. Maintenance Install can be disabled
3. MusUx_UpdateInterval On one PC I could disable it, on another I could not
4. MusUx_LogonUpdateResults can not be disabled normally
5. PerformRemediation can not be disabled
6. Reboot can not be disabled
7. Scheduled Start can be disabled
8. Schedule Scan can not be disabled
9. shell can be disabled
10. sih can be disabled
11. sihboot can be disabled
12. UpdateAssistant can be disabled
13. UpdateAssistantCalendarRun not sure
14. UpdateAssistantWakeupRun not sure
15. USO_Broker_Display can not be disabled

I have not seen, but have read about other Windows Update related scheduled tasks: USO_UxBroker_Display, USO_UxBroker_ReadyToReboot, Policy Install and Resume On Boot.

For dealing with the Windows Task Scheduler, I suggest TaskSchedulerView by Nir Sofer. It is free, portable and from a trustworthy source.

BLOCK SERVICES WITH THE FIREWALL

While some Services and Started Tasks are off-limits, everythingSkyrim armory of tamriel. can be blocked in the Windows firewall.

Perhaps my big contribution here is the idea of blocking a Windows service from phoning home. Firewalls traditionally block ports, IP addresses and programs but the Windows firewall can also block a Windows Service. We need this since many services run under the svchost.exe program.

To block a Service

1. Control Panel ->
2. Windows Defender Firewall ->
3. Advanced Settings ->
4. Outbound rules (left side column) ->
5. sort the rules by Group to make the ones you create display at the top
6. New Rule .. (right side column) ->
7. Click the Customize.. button near Services ->
8. Apply to this service ->
9. Scroll to the service and click on it to highlight it in blue ->
10. OK -> Next ->
11. Take the default values for protocols or ports, so just click the Next button ->
12. Take the default values for IP addresses so just click the Next button ->
13. Blocking the connection is the default, that is what we want, so just click Next button ->
14. Domain, Private and Public are defaulted on which we want, so just click Next ->
15. Give the rule a name like Block Svc xxxx and Finish

Do this for every Windows Update service on the PC: Windows Update, Windows Update Medic, Windows Remediation, Update Orchestrator and Windows 10 Update Facilitation.

BLOCK PROGRAMS WITH THE FIREWALL

These Windows Update related programs definitely phone home to Microsoft, so they should be blocked too.

• C:WindowsSystem32sihclient.exe
• C:WindowsSystem32WaaSMedic.exe
• C:Program Filesremplsedlauncher.exe

The click stream for blocking a program is a bit different from blocking a service. It is:

1. Control Panel ->
2. Windows Defender Firewall ->
3. Advanced Settings ->
4. Outbound rules (left side column) ->
5. Sort the rules by Group to make the ones you create display at the top
6. New Rule .. (right side column) ->
7. Program is the default so just click Next ->
8. Enter the program path and click Next ->
9. Block the connection is the default so just click Next ->
10. By default, Domain, Public and Private are all checked, so just click Next ->
11. Give the new rule a name like Block Prog xxxx then click Finish

These Windows Update related programs may or may not phone home to Microsoft, I don't know. To be fully protected, they should be blocked with an outbound firewall rule too.

• C:Windowssystem32sc.exe
• C:WindowsSystem32sihclient.exe
• C:Windowssystem32usoclient.exe
• C:Windowssystem32MusNotification.exe
• C:WindowsUpdateAssistantUpdateAssistant.exe

In the end, your firewall rules will look something like those below.

The Windows Remediation Service (sedsvc) is C:Program Filesremplsedsvc.exe. Blocking the Service may be sufficient, but to be thorough, you can block it as a program too. According to this article, these other programs are also involved in Windows Update: eosnotify.exe, windows10upgraderapp.exe, remsh.exe (pretty sure this has been retired), dismHost.exe, InstallAgent.exe and Windows10Upgrade.exe. I have not seen them. A user comment to this article also mentions the Windows10UpgraderApp.exe but adds that it is in the C:Window10Upgrade folder. (Updated Dec 6, 2018)

Outbound firewall rules can also be used to prevent Windows 10 telemetry from phoning home to Microsoft, but that's another whole topic. In the image above, compatTelRunner.exe is telemetry and SearchUI.exe is Cortana.

FINAL THOUGHTS

It would be nice to know the fewest changes needed to block Windows Update on Windows 10 but that is likely to change over time, so it doesn't pay to invest a lot of effort into answering the question.

As thorough as all this may seem, there may well be registry zaps that let you disable the Services and Started Tasks that are normally off-limits. I have not looked into this. If Windows Update can not phone home, then it is not critical to prevent every part of it from executing.

Which begs the question, is Windows Update still phoning home? A great program that helps answer this question is TcpLogView by Nir Softer. It shows every IP address your computer makes an outbound connection to and the process or program that made the connection. Often, it also shows the name of the contacted computer. (Added Dec 7, 2018)

Of course, if you succeed in blocking patches, at some point you will want or need them. To maintain the most control, see the section on Manual Updating in my earlier blog. (Added Dec 5, 2018)

Finally, there are still other ways to attack Windows Update. Reddit user WelshWorker explained his procedure in PERMANENTLY Disabling Windows 10 Upgrade Assistant to stay on one build. His additional steps include blocking 15 domains used by Windows Update, removing all permissions from three Windows Update folders, creating firewall rules to block network communication for the .EXE files in those folders and deleting the contents of the SoftwareDistribution folder. He also has a script to automate some of it.

Makes the stuff above seem not so paranoid.

@defensivecomput	TOP	Home => Killing Windows Update on Windows 10

michael--at--michaelhorowitz.com	Last Updated: January 8, 2019 5 PM
Copyright 2001-2020	Copyright 2001-2020

Software updates are a really essential a part of any trendy system. Updates deliver in new options, removes vulnerabilities and makes the gadgets safer. Windows 10 too, will get Windows Updates which be sure to are at all times safe and working the latest model of the software program. This is facilitated with the assistance of Windows Services that could be working in the background. Update Orchestrator Service is one such service that occurs to deal with Windows Updates.

Update Orchestrator Service (UsoSvc) in Windows 10

Update Orchestrator Service, because the title suggests is the service which arranges Windows Updates for you. This service is accountable for downloading, putting in and verifying the updates to your laptop. If it is stopped, your system won’t be able to obtain and set up the latest updates.

If you’re utilizing Windows 10 v1803 or later, then your laptop is configured to start out as follows – Automatic (Delayed). The service is determined by the Remote Procedure Call (RPC) service and can’t be began if RPC is disabled.

There may be situations if you would possibly discover in Task Manager that Windows Update is consuming a variety of CPU, Memory or Disk assets in your laptop. And there are honest possibilities, Update Orchestrator Service may very well be accountable. The cause behind this Service consuming a variety of assets is that there may be an ongoing replace set up in the background. Remember that the useful resource consumption is non permanent, and it’ll routinely cool down after a while.

During this time, Update Orchestrator Service is both putting in or verifying the integrity of the downloaded replace. It is in no way really helpful to cease or disable this service. Disabling it means, disabling latest updates and options in your laptop which is neither really helpful nor desired.

Can you disable Update Orchestrator Service?

In case you have to, you’ll be able to quickly cease Update Orchestrator Service. All you have to do is , find the Update Orchestrator Service in the listing, right-click on it and choose Stop button to cease the service fully.

But in the event you open its Properties and see, you won’t be able to vary the startup kind – it will likely be grayed out! So stopping the Service can function a brief measure – you can’t disable it. When handy you could use the Start button to start out the service, or it will likely be began when you restart your laptop.

If it begins consuming assets once more, it is greatest to go away your laptop for some time in order that updates are put in in the background.

Update Orchestrator Service is one of the crucial vital providers required by Windows to deliver in new updates to your laptop. It is not really helpful to maintain this service disabled for longer even when it exhibits excessive CPU and disk utilization.

Update Orchestrator Service is turned off as a consequence of an error

If by probability, you obtain this error, you could must parts.

Read subsequent concerning the or WaaSMedicSVC.