Unidentified Windows Update process

Topic

New Reply

An interesting observation from Noel Carboni: UPDATE Noel notes: It turns out ctldl.windowsupdate.com is a legitimate security check: https://technet.
[See the full post at: Unidentified Windows Update process]

Reply | Quote

Replies

I’ve learned more…

It turns out ctldl.windowsupdate.com is a legitimate security check:

https://technet.microsoft.com/en-us/library/dn265983.aspx

Why Explorer did it is still a bit of a mystery, and it’s not from Classic Shell as it turns out I had the Classic Shell auto-update check already disabled on the Win 7 system.

Perhaps the expiration of a certificate invoked this behavior on all systems.

-Noel

Reply | Quote

A lot of processes in Windows do what in Internet Explorer Advanced options is designated as “Check for publisher’s certificate revocation”. That setting is common to other components of Windows, maybe Windows Explorer, so by disabling it, frequent checks are avoided, although I do not recommend disabling that check box, enabled by default.
.NET Framework does the same and this is presented here https://support.microsoft.com/en-us/kb/936707
This applies to .NET Framework 4.x as well, by using the relevant configuration files.
Same thing related to a particular situation in Citrix XenApp and .NET Framework https://support.microsoft.com/en-us/kb/936707

Disabling the certificate checks is more common in Enterprises where various servers and pcs are not directly connected on the Internet, but via proxy servers. Although it is possible to set the proxy per-system with netsh, this is not commonly configured and this is what the article linked by Noel on Technet explains and provides workarounds.

It is a good thing that this was posted by Noel via Woody to clarify some of the accesses which otherwise may look to less aware users as not legitimate.

For those interested in monitoring the certificate related activity, there is a CAPI2 log under Event Viewer which is disabled by default and needs to be enabled. After a while, maybe 1 month or so, the log is again disabled by the internal routines in Windows.

Reply | Quote

Thanks for the thorough and intelligible knowledge bomb.

I have no idea if/when I would need to know this, but I’m very glad we have experts like yourself spreading the erudition around, CH.

And thanks to Noel also. I get anxiety whenever my WFN (simple utility) pops up some new outgoing ip connection with Block/Allow?

I haven’t booted up my home PC in a few days, and now I know if I see this not to worry.

Reply | Quote

Major clarification.

ctldl.microsoft is not about revocation checks at all. It is about updating the list of trusted root certificate authorities from the preinstalled tiny set of outdated ones to the (ever changing) list of CAs appproved by Microsoft. Updates from ctldl are controlled by a different setting than Windows Updates or Revocation checks, and it usually happens in whatever process that happens to check the validity of a certificate not yet on the ctldl and/or on regular intervals to check if any certificates were distrusted by Microsoft.

You can see the list of CAs already installed in the certificates MMC add-on (have to create your own MMC layout for that) or in a subdialog of the “Contents” tab of Internet Options. From there you can also modify the list according to your own trusts. But there is no direct user interface to review or change the trusts and distrusts that your PC has not yet downloaded from Microsoft.

As one additional twist, the check against downloads signed with the outdated SHA-1 algorithm after Jan 1, 2016 only happens if the corresponding root certificate was installed by the ctldl download process (or was on the Windows CD), not if the very same certificate was installed manually or via group policy. This is almost documented by Microsoft saying it only applies to the root certificates they trust (though they have not publicly admitted that it is somehow linked to how the root certificate was installed on the end user PC).

As for relevant Windows Updates, I know about 3: KB2813430(Oct23, 2014 maybe older) enhances the certreq command line tool to allow downloading the ctldl list to a directory of files that you can pick and choose from. KB3004394(Mar 2015) increased the timed checks from weekly to daily. KB3135996(Mar 2016) requires that one of the download-only certificates is installed first.

KB3149737 (not an update as such) explains how to manually download and distribute the list instead of letting Windows check ctldl.microsoft, the text in KB3149737 begins with some chat about the need to do this if you turned off automatic checks on Windows 7/2008R2 due to a specific root not being installed by default, but then goes on to provide a useful overview of ways to manage the trusted root list manually.

Reply | Quote

I think John is right in relation to the ctldl site which is ctldl.windowsupdate.com. You cannot browse directly to that site as it is meant to be used by an internal process and not by Internet Explorer or any other browser.
The other considerations in my post are valid too, maybe not in relation to that particular site though.

Reply | Quote

What firewall do you use?
Thanks,
Morty

Reply | Quote

MSE/Defender. I have for many, many years.

Reply | Quote