Windows 8.1 removing “installed” updates

This in from Noel Carboni:

Scheduled nightly on all my systems I run a script I’ve developed that gathers and logs various information that will be useful if something goes wrong or I’m investigating something that’s been found to be changed.  More information and a copy of this script is available here if you’re interested:

http://win10epicfail.proboards.com/thread/114/watch-system-changes

I just reviewed the output from my script on one of my Win 8.1 systems, comparing it to prior runs and I noticed something – specifically the section where installed updates are listed.  I found a REDUCTION in the number of installed updates between the nightly runs on 4/26 and 4/27.  Doing a bit of sleuthing I discovered it was the CbsTask that removed them, apparently as part of regularly scheduled system maintenance.

Specifically, these KBs were removed in the wee hours of April 26:

KB3018467

KB3019215

KB3035017

KB3035487

KB3035527

KB3049989

KB3060746

KB3069114

KB3072633

KB3080446

KB3087039

KB3087390

KB3099864

KB3101183

KB3101246

KB3102939

KB3105115

KB3107998

KB3108347

KB3108381

KB3121212

KB3121260

KB3126041

Per the event logs, the deed was done starting with these events:

Log Name:      Application

Source:        ESENT

Date:          4/26/2016 3:14:55 AM

svchost (8036) Instance: The database engine (6.03.9600.0000) is starting a new instance (0).

Log Name:      Application

Source:        ESENT

Date:          4/26/2016 3:14:55 AM

svchost (8036) Instance: The database engine started a new instance (0). (Time=0 seconds)

Log Name:      Application

Source:        ESENT

Date:          4/26/2016 3:14:55 AM

svchost (8036) Instance: The database engine attached a database (1, C:\ProgramData\Microsoft\Windows\AppRepository\PackageRepository.edb). (Time=0 seconds)

Log Name:      Setup

Source:        Microsoft-Windows-Servicing

Date:          4/26/2016 3:17:15 AM

Initiating changes for package KB3018467. Current state is Installed. Target state is Absent. Client id: CbsTask.

Then there were many more like the above over the next minute, listed as “Current state is Absent.”, “Current state is Installed”, or “Current state is Superseded.”, and all with “Target state is Absent.”  The activity completed at 3:18:15.

This activity didn’t occur as a direct result of a Windows Update, though it may have been indirectly related to the most recent Windows Update run a few days prior.  The machine does NOT do automatic updates (Windows Update is disabled except when manually initiated), and the most recent manual run was on the 22nd.  These removals just happened as a result of a regularly scheduled maintenance job, apparently.

Assuming this activity is normal and to be expected, I guess these updates must be rescinded, superseded, or no longer applicable for some reason?   I Googled a few of them and didn’t get any clear reading on that.

Thinking back I can’t say I remember noticing this particular kind of activity before, though it could be it just didn’t catch my eye – Windows Updates didn’t USED to be things one had to watch as carefully as we do today…

Heh – the things our computers do late at night when we’re not around, eh?

I thought this might be interesting for your readers.  I’d love to hear others’ comments and insights on this activity.