6

The following services have successfully been disabled, and their executable files that activate them have had their security permissions removed under propteries:

  1. Background Intelligent Transfer Service
  2. Update Orchestrator Service
  3. Windows Update Windows
  4. Update Medic Service

I have also completely disabled these services in Task Scheduler, and in their respective registry file settings, and rebooted to confirmed the registry file settings were saved. Task Scheduler itself, in fact, has been completely disabled and cannot be accessed even within system level MMC.

HOWEVER the update orchestrator service is somehow able to re-activate itself each day and will download KB5008212 package, (or any other package I do not have) if it is not already downloaded, so deleting the package doesn't help.

This machine is for testing and I do not want KB5008212 package to install. I have a system-level/admin level MMC console always running to make it easier for me to simply refresh the services tool under computer management component, find Update Orchestrator Service, set to disabled and stop the service, and click apply/ok.

I tested to see what would happen if I did not do this everyday. When it re-activated itself, I left it alone, and eventually, over the course of several days, the 4 services I listed above will re-enable and activate 1 by 1.

I am tired of constantly fighting this. If saved registry changes, security activation permissions for their files, and disabled settings in Services combined can't do it.

I want to know what will, and I want to know what other service or task is responsible for it's re-activation.

Improve this question
3
  • What is Orchestrator? Can you uninstall it? It is not a service on any of my computers here.
    – anon
    Commented Feb 17, 2022 at 0:50
  • It is far easier, to infinitely postpone an update from being installed, then attempting to disable Windows Update.. Using Activity Hours, and continuously setting it, is far more effective then trying to break Windows Update in some capacity.
    – Ramhound
    Commented Feb 17, 2022 at 21:21
  • I have also completely disabled these services in Task Scheduler .. ? Services don't run via the task scheduler. Services run via the service control manager and the kernel driver model (which technically aren't services but one can argue this point due to microsoft ambiguous verbage). This might be semantics to some, but the difference is more than semantics.
    – Señor CMasMas
    Commented Feb 18, 2022 at 22:54

2 Answers 2

Reset to default
2

*Updated for Windows 22H2

The simple answer: Windows Update Medic Service (WaaSMedicSvc)

You need to disable this two ways:

  1. Its service. To do this, you need to do it through the registry (always back up all registry keys and put them somewhere before making changes).

    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc]
"Start"=dword:00000004
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,00,00,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

    This puts the service at disabled, and the failure action at "Take No Action".

  2. You need to disable the scheduled task for it. You can do this either by downloading Execti.exe and running mmc.exe /s taskschd.msc inside it, then navigating to Task Scheduler Library > Windows > WaasMedic, and then disabling it. Or, do it via the registry here:

    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0CEC0B91-4AE9-4E8A-ACB2-3B4C811F442C}]
"Hash"=hex:6f,ad,62,d5,2a,7b,61,a6,ea,0d,3e,20,80,1f,04,8f,b3,3e,4f,01,39,e6,85,f2,25,b9,a9,77,9f,64,be,2d

    Your end numbers (0CEC0B91-4AE9-4E8A-ACB2-3B4C811F442C) may differ, so search the main key (\Tasks) by hitting F3, and search for: PerformRemediation

That's it. I suggest in order to disable it all, with no intention of removing anything permenantly, that you disable all the following services and tasks:

Services:

Background Intelligence Transfer (BITS)
Update Orchestrator Service (can also disable its tasks)
Windows Update
Windows Update Medic Service

If any of them for some reason do not allow you to disable them, you can do it in the registry by assigning their Start to 4 (1=autodelayed,2=auto,3=manual,4=disabled):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc]
"Start"=dword:00000004

Here is a complete registry entry of mine to do it all in one go.

Windows Registry Editor Version 5.00

;; READ NOTE FIRST ABOUT EXECTI.EXE
;; system32\usoclient.exe may be renamed if needed (Orchestrator file)

;; UpdateOrchestrator\Schedule Scan

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{440D36C3-DA3F-4CD8-A99E-D698432D005A}]
"Hash"=hex:f6,1b,aa,e5,4a,a7,19,31,58,fa,96,7b,39,45,40,67,c1,2f,3c,ba,9f,9c,\
  90,28,3c,8a,2d,80,7e,ba,11,fd

;; WaaSMedic\PerformRemediation (update medic)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0CEC0B91-4AE9-4E8A-ACB2-3B4C811F442C}]
"Hash"=hex:6f,ad,62,d5,2a,7b,61,a6,ea,0d,3e,20,80,1f,04,8f,b3,3e,4f,01,39,e6,\
  85,f2,25,b9,a9,77,9f,64,be,2d

;; use ExecTI.exe if possible to disable the Scheduled Task / triggers manually (it should change this anyhow), if not then use this.
;; THE CODE: 440D36C3-DA3F-4CD8-A99E-D698432D005A may be different. Search for "UpdateOrchestrator\Schedule Scan" in registry.

;; SERVICES

;; Windows Update Medic Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc]
"Start"=dword:00000004
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,00,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

;; Update Orchestrator Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc]
"Start"=dword:00000004
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,00,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

;; BITS

[Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS]
"Start"=dword:00000004
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,00,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

;; Update

[Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000004
"FailureActions"=hex:00,00,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,00,00,00,00,60,ea,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000001
"AUOptions"=dword:00000002

;; Disable Maintenance Wake Up

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance]
"WakeUp"=dword:00000000

;; Windows Modules Installer (TrustedInstaller)
;; needs key permissions as administrator 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustedInstaller]
"Start"=dword:00000004

;; change to 3 to put it back to manual (default). These components re-enables windows update and BITS components periodically.
;; failure actions is the Recovery tab under the service properties specified to "take no action"

I recommend that you use SetACL if you want to make a batch file to automate all of this and stop components at the same time. SetACL will take permission of the necessary registry keys to modify TrustedInstaller and others to 4 (disabled).

Here is a batch example (disable_all.bat):

@echo off
SetACL.exe -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustedInstaller" -ot reg -actn setowner -ownr n:Administrators
SetACL.exe -on "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustedInstaller" -ot reg -actn ace -ace "n:Administrators;p:full"
regedit.exe /S disable_update_components.reg
TIMEOUT 1
sc config "WaaSMedicSvc" start= disabled
sc stop "WaaSMedicSvc"
TIMEOUT 1
sc config "UsoSvc" start= disabled
sc stop "UsoSvc"
TIMEOUT 1
net stop BITS
sc config "BITS" start= disabled
sc stop "BITS"
TIMEOUT 1
sc config "wuauserv" start= disabled
sc stop "wuauserv"
TIMEOUT 1
sc config "TrustedInstaller" start= disabled
sc stop "TrustedInstaller"

If all else fails, you can simply rename your system32\usoclient.exe, or try something like Wu10Man to see if it helps (though, that basically does everyting here.), and simply leave the tasks/components as is.

If you'd like to revert any of these changes, simply change "Start"=dword:00000004 to "Start"=dword:00000003

Improve this answer
0

I though it was the hidden service called WaaSMedicSvc which you can disable in registry, but that didn't to the trick either. (HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc, Start=4)

I've been looking at Azure VMs which you can actually specify not to get updates. The only thing I could find was these reg keys (from the XP time) was actually set: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate = 1 (enabled)

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions = 3 (AutoUpdateModeDownload)

Haven't tested them out on my W10 yet (didn't beleive they would change anything, but who knows).

The WaaSMedicSvc service was set to 3 (manuel)

UPDATE:

Just found out that there also is a WaaSMedic Schedule Task:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WaaSMedic

...maybe that's the one! MS did go a long was to protect this task by using very stric permissions, cannot do it in GUI (that's a good sign :-P)

UPDATE2: The WaaSMedic Schedule Task didn't seem to do the trick either :-(

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .