I'd like to know, what specific changes are being introduced by specified Windows Update update (in terms, kbxxxxxxxx).
Other option: I'd like to know, which update introduced specific file.
Reason: I'd like to cleanly remove update with the get-Windows-10 app and I don't have any of widely known updates with GWX stuff installed. I have to figure out first, which update introduced these files and scheduler entries again.
Every Windows update is associated with a KB article that contains a list of updated or created files. That KB article is accessible at https://support.microsoft.com/en-us/kb/####### with all those #s replaced by the update number. (You can change en-us to your language code if you want.) For example, here's one that updates a bunch of timezone-related stuff. Some articles have the table in the article itself; others (like the linked one) have a link to download a CSV with the information.
If you don't trust that, you can download the standalone version of the update from the KB article. Extract it with the Windows Update Standalone Installer: wusa FULL_PATH_TO_MSU /extract:FULL_PATH_TO_DEST_FOLDER. For example:
wusa C:\Users\Ben\Downloads\Windows8.1-KB2693643-x64.msu /extract:C:\suspiciousUpdate
(For the curious, that "update" is the Remote Server Administration Tools package for Windows 8.1.)
Navigate to the destination folder. There might be a PkgInstallOrder.txt, which indicates that the update will run an executable in addition to doing the normal Component-Based Servicing stuff; you can look at that file to see exactly what will be done in what order. There will also be an XML document that lists the CAB packages that will be installed.
To get at the full list of files, you'll need to extract the .cabs. This can be done with WinRAR, but Windows Explorer can at least look into them. Inside each .cab is an XML document that lists the files that will be created in WinSxS. Use any web browser's search function to look for the names of suspicious files. The .cab will also contain a bunch of .manifest files, some of which have <file> entries, which create hardlinks outside of WinSxS.
You can torch the WUSA extraction folder when you're done looking around inside it.
To see which files are part of an update, download the MSU from the downloadcenter, extract the CAB from it with 7zip in C:\MSUFolder, next extract the CAB with the expand.exe from Windows in a commandprompt by running those commands:
c: <ENTER>
cd c:\MSUFolder <ENTER>
expand -F:* Saved_MSU_File_Name.cab c:\MSUFolder <ENTER>
You all files gets extracted and you can look at all details, version information and more.
In the meantime I figured out by myself, that Microsoft web pages contain detailed information about updates. I finally found out, which update is responsible for reintroducing that (censored) GWX stuff to my computer and it turned out, that it was 3072318.
I came up with an idea - I took a look at creation date of C:\Windows\System32\GWX\GWX.exe and matched it with list of installed updates. Fortunately, only 8 of them were installed at that date and careful examination of Microsoft articles revealed the one I was searching for. Already uninstalled, now only restart remains to free my notebook from this spam.
extract msu `expand -f:* .\windows10.0-kb4489899-x64_c155ece4afbee219e7dfb83df67a7f2baf7c0d1d.msu .\your folder\
use 7zip to open cab file Windows10.0-KB4487044-x64_PSFX.cab.(just an example)
search your target in file _manifest_.cix.xml such as xxx.dll. looks like this
<File id="13003" name="wow64_microsoft-windows-zipfldr_31bf3856ad364e35_10.0.17763.107_none_f750bde8ef30fc65\f\zipfldr.dll" length="436" time="131939575275464258" attr="8224">
expand -F:* Windows10.0-KB4487044-x64_PSFX.cab .\folder\cabyou will see the file.
