Turn off auto-update

FOR THE PAST two months I've written about patches, service packs, and the update process for Windows XP and 2000. Several readers have responded that they no longer feel comfortable letting Windows automatically download such changes.

Free IT resource Open Source Business Conference (OSBC) May 22-23, 2007 Sponsored by OSBC Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

If that's so, there are good ways and bad ways to handle this situation. Here's the data you need.

First of all, reader Bob Chrysler points out that the Microsoft white paper I recently mentioned isn't completely accurate on how to turn off Windows XP's auto-update features. (That paper is at http://www.microsoft.com/WindowsXP/pro/techinfo/administration/manageautoupdate .)

"Setting auto-update to manual in Control Panel, System, Properties does not completely stop Microsoft's back door," Chrysler says. "We believe disabling Automatic Updates under Administrative Tools, Services is a more reliable way."

It isn't necessary to change this individually on all the PCs throughout a company, however. "Since I'm running a Windows 2000 domain, and all my computers are Windows 2000 Pro, I rely on Group Policy," writes Patrick Ip. He wants the features of Windows 2000's Service Pack 3 but prefers to decide on a case-by-case basis when and if future patches will be downloaded.

"I started by building a slipstream version of Windows 2000 SP3 by applying the patch to a network folder containing Windows 2000 SP2," Ip explains. The command for this is Update.exe -s:foldername. He then performed a silent installation on an unused workstation to get a working Windows 2000 SP3 installation.

This creates a series of Administrative Templates under the folder C:\WinNT\Inf. The Wuau.adm template controls auto-update.

"After I added that template to the Administrative Templates for my default Domain Policy, it's listed under Administrative Templates, Windows Components, Windows Update," Ip writes. "I then disabled Configure Automatic Updates. Finally, I applied SP3 to the server and then to the workstations. All of them automatically had the auto-update feature disabled."

If you plan to do something like this under XP, you should consider using its Profiles feature. You can save XP's initial state as a profile called Default, then create other profiles in which auto-update and other services are disabled. This allows you to switch among them as needed.

There's a step-by-step guide to creating these profiles at a fascinating Web site created by an enthusiastic Windows gamer called Black Viper. (See http://www.blkviper.com/WinXP/xpprofiles.htm .)

In an interview, BV -- who asked that his true name not be revealed -- explained that XP ships with 89 services, 36 of which run automatically. But only eight of them are needed, he says. The others cost you up to 70MB of RAM.

For his complete list, read the "Windows XP Service Info" and "Windows 2000 Service Info" pages that his profiles page links to. I'll dive headfirst into all of these services next week.