WSUS overriding GPO for reboot
From: Dirk Doerflinger (dirk.doerflinger_at_h2o-gmbh.de)
Date: 07/12/05
- Previous message: Thierry Zoller: "Re: Service Password"
- Next in thread: Jeff Gercken: "RE: WSUS overriding GPO for reboot"
- Maybe reply: Jeff Gercken: "RE: WSUS overriding GPO for reboot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ms@securityfocus.com> Date: Tue, 12 Jul 2005 11:32:22 +0200
Hello,
I'll put this here because I regard a spontaneous reboot of a live server as
a security issue (Kind of a DOS):
I approved some bugfixes for Server 2003 in WSUS.
In the GPO which applies to the Servers I set "no automatical reboot", no
other GPO overrides this.
Now all XP and 2000 Clients got a "Computer is going to restart now [OK]"
messagebox while the servers simply restarted without any warning.
Windowsupdate.log says:
2005-07-12 09:00:50 1020 494 AU ## END ## AU:
Search for updates [CallId = {B669678A-F994-43C0-861D-0203CDCDC6A2}]
2005-07-12 09:00:50 1020 494 AU #############
2005-07-12 09:00:53 1020 494 Report REPORT EVENT:
{A833EE07-F822-43BA-A7FA-E47D26C992E1} 2005-07-12 09:00:48+0200 1
191 101 {90B61E13-9028-4348-86B0-CED032EFBEF6} 102 0
AutomaticUpdates Success Content Install Installation successful and
restart required for the following update: Sicherheitsupdate für Windows
Server 2003 (KB896426)
2005-07-12 09:00:53 1020 494 Report REPORT EVENT:
{D0512843-F412-4203-A9A4-B142E4403FA7} 2005-07-12 09:00:48+0200 1
194 102 {00000000-0000-0000-0000-000000000000} 0 0
AutomaticUpdates Success Content Install Restart Required: To
complete the installation of the following updates, the computer will be
restarted within 5 minutes: - Sicherheitsupdate für Windows Server 2003
(KB896426)
2005-07-12 09:01:02 1020 acc AU AU found 1 sessions
to launch client into
2005-07-12 09:01:02 1020 acc AU Launched new AU
client for directive 'Reboot Pending', session id = 0x1
2005-07-12 09:01:02 752 1438 Misc =========== Logging
initialized (build: 5.8.0.2469, tz: +0200) ===========
2005-07-12 09:01:02 752 1438 Misc = Process:
C:\WINDOWS\system32\wuauclt.exe
2005-07-12 09:01:02 752 1438 AUClnt Launched Client UI
process
2005-07-12 09:01:03 752 1438 AUClnt AU client got new
directive = 'Reboot Pending', serviceId =
{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0x00000000
2005-07-12 09:01:03 1020 df4 AU AU setting client
response for sessionId 0x1 to 'Pending'
2005-07-12 09:01:17 1020 acc AU AU found 1 sessions
to launch client into
2005-07-12 09:15:52 1020 928 PT Initializing simple
targeting cookie, clientId = a9d2ba6e-32c1-447a-91bf-a851ccfc3ac2, target
group = Server, DNS name = h2oa1000.intranet.h2o-gmbh.de
2005-07-12 09:15:52 1020 928 PT Server URL =
http://h2oa1001:8530/SimpleAuthWebService/SimpleAuth.asmx
2005-07-12 09:15:52 1020 928 Report Uploading 1 events
using cached cookie, reporting URL =
http://h2oa1001:8530/ReportingWebService/ReportingWebService.asmx
2005-07-12 09:15:52 1020 928 Report Reporter
successfully uploaded 1 events.
2005-07-12 09:47:48 752 1438 AUClnt AU client got new
directive = 'Shutdown', serviceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7},
return = 0x00000000
2005-07-12 09:47:48 752 1438 AUClnt AU client reboot
notification: user clicked Restart Later
2005-07-12 09:47:48 1020 dec AU AU setting client
response for sessionId 0x1 to 'Pending'
2005-07-12 09:47:48 1020 dec AU Changing existing AU
client directive from 'Shutdown' to 'Reboot Pending', session id = 0x1
2005-07-12 09:48:02 1020 acc AU AU found 1 sessions
to launch client into
2005-07-12 09:48:02 1020 acc AU Launched new AU
client for directive 'Reboot Pending', session id = 0x1
2005-07-12 09:48:03 4424 17c4 Misc =========== Logging
initialized (build: 5.8.0.2469, tz: +0200) ===========
2005-07-12 09:48:03 4424 17c4 Misc = Process:
C:\WINDOWS\system32\wuauclt.exe
2005-07-12 09:48:03 4424 17c4 AUClnt Launched Client UI
process
2005-07-12 09:48:03 4424 17c4 AUClnt AU client got new
directive = 'Reboot Pending', serviceId =
{3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, return = 0x00000000
2005-07-12 09:48:03 1020 e14 AU AU setting client
response for sessionId 0x1 to 'Pending'
2005-07-12 09:48:17 1020 acc AU AU found 1 sessions
to launch client into
2005-07-12 10:02:55 1020 acc AU WARNING: Initiating
reboot since no user logged on
2005-07-12 10:02:55 1020 acc AU AU invoking
RebootSystem (OnRebootNow)
2005-07-12 10:02:55 1020 acc Misc WARNING: SUS Client
is rebooting system.
2005-07-12 10:02:55 1020 acc AU AU rebooting machine
since no user is logged on and reboot is required.
2005-07-12 10:03:04 1020 acc AU WARNING: Initiating
reboot since no user logged on
2005-07-12 10:03:04 1020 acc AU AU invoking
RebootSystem (OnRebootNow)
2005-07-12 10:03:04 1020 acc Misc WARNING: Failed to
reboot system, hr=8007045B.
2005-07-12 10:03:04 1020 acc AU WARNING:
RebootSystem failed, error = 0x8007045B
2005-07-12 10:03:04 1020 acc AU AU invoking
RebootSystem (OnRebootRetry)
2005-07-12 10:03:04 1020 acc Misc WARNING: SUS Client
is rebooting system.
2005-07-12 10:03:14 1020 acc AU AU invoking
RebootSystem (OnRebootRetry)
2005-07-12 10:03:14 1020 acc Misc WARNING: Failed to
reboot system, hr=800706BB.
2005-07-12 10:03:24 1020 acc AU AU invoking
RebootSystem (OnRebootRetry)
2005-07-12 10:03:24 1020 acc Misc WARNING: Failed to
reboot system, hr=800706BB.
2005-07-12 10:03:35 1020 acc Service *********
2005-07-12 10:03:35 1020 acc Service ** END **
Service: Service exit [Exit code = 0x240001]
2005-07-12 10:03:35 1020 acc Service *************
2005-07-12 10:09:09 1048 c68 Misc =========== Logging
initialized (build: 5.8.0.2469, tz: +0200) ===========
2005-07-12 10:09:09 1048 c68 Misc = Process:
C:\WINDOWS\System32\svchost.exe
Eventlog says:
The process winlogon.exe has initiated the restart of <computer name> for
the following reason: No title for this reason could be found.
Minor Reason: 0x80020002
Shutdown Type: reboot
According to eventid.net this message is generated when SUS is forcing a
computer to reboot.
Does anybody have an explanation or can point me anywhere where I can find
one? MS KB didn't help me yet.
Regards,
DD
______________________________________
Dipl. Ing. Dirk Doerflinger
IT Operator
Telephone +49 (0) 7627 9239 - 230
Telefax +49 (0) 7627 9239 - 200
H2O GmbH process water engineering
Wiesenstrasse 32
79585 Steinen/ Germany
www.h2o-gmbh.com
______________________________________
Clever ideas for clean water!
______________________________________
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Thierry Zoller: "Re: Service Password"
- Next in thread: Jeff Gercken: "RE: WSUS overriding GPO for reboot"
- Maybe reply: Jeff Gercken: "RE: WSUS overriding GPO for reboot"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
