RE: WSUS/Reboot

From: Laura A. Robinson (larobins_at_bellatlantic.net)
Date: 06/29/05

  • Next message: bluewizard83-de4gahsh_at_yahoo.com: "Re: Local admin password" 
    Date: Tue, 28 Jun 2005 20:04:47 -0400
To: "'Depp, Dennis M.'" <deppdm@ornl.gov>, "'David LeBlanc'" <dleblanc@mindspring.com>, "'Martin Mewes'" <mm@mewes.tv>, <focus-ms@securityfocus.com>

    There are some [registry, files-in-use] aspects of a Windows system that are
    dynamically built/started/replaced only during boot, before the service or
    component is initialized. Additionally, the kernel is not dynamically
    loadable and unloadable, so kernel changes also cannot be made "on the fly".
    It is not service stop/restart that is requiring reboot in most cases
    anymore. When a patch does require a reboot, it is generally because the
    patch is addressing something that *requires* a reboot in order to
    reinitialize or replace a service or file (and most of the time these days,
    it's because an in-use file must be replaced and cannot be closed without
    damaging the machine's operation). So, in answer to your question about why
    patches aren't "smart enough to stop and restart the necessary services",
    they often *are*. The next time you patch a system, watch service status
    while you're doing it.

    Alternately, just read this article. :-)
    http://support.microsoft.com/kb/887012

    Laura

    > -----Original Message-----
    > From: Depp, Dennis M. [mailto:deppdm@ornl.gov]
    > Sent: Monday, June 27, 2005 12:26 PM
    > To: David LeBlanc; Martin Mewes; focus-ms@securityfocus.com
    > Subject: RE: WSUS/Reboot
    >
    > So why aren't the patches smart enough to stop and restart
    > the necessary services? IMHO there is a big difference in
    > bouncing a service and bouncing the entire box. For starters
    > there is a big time differece.
    > It takes much longer to bounce a box than to bounce a
    > service. During a server bounce, there is a much greater
    > chance of something else going wrong. Ever have a box reboot
    > with an error "Key board not found, Press
    > F1 to continue."?
    >
    > Dennis
    >
    > -----Original Message-----
    > From: David LeBlanc [mailto:dleblanc@mindspring.com]
    > Sent: Saturday, June 25, 2005 5:53 PM
    > To: 'Martin Mewes'; focus-ms@securityfocus.com
    > Subject: RE: WSUS/Reboot
    >
    >
    > > Did someone ever tell Microsoft that they should have a look
    > > on unixoid systems. The only scenario a unixoid box _must_ be
    > > rebooted is, when the kernel has been patched or the main
    > > glibc must be changed for some reasons. But even the latter
    > > does not mean to always you need to reboot the system.
    >
    > Reducing reboots is something that I know is a priority for Microsoft,
    > and
    > you're right - having systems rebooting all the time is a
    > problem, even
    > if
    > they're just desktops. I think you'll see improvement on this
    > over time,
    > and
    > one of the new features of WSUS I notice is immediate application of
    > patches
    > that don't need reboots.
    >
    > However, they way that you get this system uptime on most *nix systems
    > is to
    > drop the service in question, apply patches and restart the service.
    > IMHO,
    > if the system's job is to provide that service, there is only a little
    > difference between bouncing the service and bouncing the box. If you
    > take
    > the same approach on a Windows server, you will often find
    > that you get
    > similar gains. For example, back when there were enough IIS patches to
    > worry
    > about, you could stop the web service and if the patch were
    > applied when
    > then server wasn't up, it didn't need a reboot. You'd then restart the
    > service once the patch was applied. Many of the patches only trigger a
    > reboot if a file that needed to be replaced will only get replaced on
    > reboot.
    >
    > IMHO, it would be a good thing if the patch were to do this
    > on it's own,
    > but
    > in the meantime you can certainly do it yourself.
    >
    >
    > --------------------------------------------------------------
    > ----------
    > ---
    > --------------------------------------------------------------
    > ----------
    > ---
    >
    >
    > --------------------------------------------------------------
    > -------------
    > --------------------------------------------------------------
    > -------------
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: bluewizard83-de4gahsh_at_yahoo.com: "Re: Local admin password"

    Relevant Pages