8

I manage a WSUS server for a large number of servers in a shared environment. Recently I noticed that despite the scheduled install time configured via the local gpo of many servers, they were not rebooting for sometimes 1.5-2 hours after their scheduled install time. Checking their event logs and WindowsUpdate.log I saw that on all of them they were in fact starting installation at their scheduled install time, but after installing the update "Windows Malicious Software Removal Tool x64 - March 2015 (KB890830)" or its equivalent for that month, it would be 1-1.5 hours before it finished installing the next update and eventualliy rebooting.

Checking the WindowsUpdate.log I see tons of entries like the following:

2015-03-16  20:51:01:700    26316   704 Handler CBS called Progress with state=7, ticks=102299, total=691

Other servers seem to have no issues with the same set up updates. It will take them only 15-20 minutes and will reboot within 30 minutes of their scheduled install time.

Has anybody seen anything similar to this? Is there some reason why the monthly malicious software update would install right at the scheduled time, but the rest would take hours? They dont have tons of updates, there are on average 10-15 updates scheduled. These systems are all over in the place in terms of performance specs, so I dont think its related to their hardware specs.

Thanks

UPDATE This issue has continued to occur on this machine. I now am not entirely sure its related to the windows malicious software tool or not. The only symptoms I have found are the following:

  1. Any number of updates will take 1.5-1.75 hours to install, where other servers installing same updates take 15-30 minutes to install them.
  2. Windows Update Log is filled from top to bottom with the following over and over again (entirely filling up the log in a matter of minutes)
2015-07-20    21:13:47:793    7432    3e8 Handler CBS called Progress with state=7, ticks=204999, total=502
2015-07-20    21:13:50:320    7432    3e8 Handler CBS called Progress with state=4, ticks=205154, total=502
  1. C:\Windows\Logs\CBS\CBS.log is much larger than other servers (1.5 GB)
  2. System Event log always shows the following pattern Right at scheduled install time a first update will immediately install example:

    Date: 5/18/2015 8:00:28 PM Event ID: 19 Task Category: Windows Update Agent Level: Information Keywords: Success,Installation User: SYSTEM Computer: ... Description: Installation Successful: Windows successfully installed the following update: Update for Windows Server 2008 R2 x64 Edition

Then 1.5 Hours will elapse and the Windows Malicious software update will say it finished installation

Date:          5/18/2015 9:46:05 PM
Event ID:      19
Task Category: Windows Update Agent
Level:         Information
Keywords:      Success,Installation
User:          SYSTEM
Computer:      ...
Description:
Installation Successful: Windows successfully installed the following update: Windows Malicious Software Removal Tool x64 
floyd
  • 1,530
  • 4
  • 18
  • 30
  • Have you tested this without installing the MSRT? To test this: make a clone of the machine and boot it on an isolated network (still pointing to your WSUS server) and see if you see the same behavior if you install the updated MSRT and let it finish running before you reboot to install updates. – austinian Jul 23 '15 at 20:44
  • We hid the MSRT update on the servers one month, and the same issue still occurred. This is what led me to believe it wasnt related to MSRT – floyd Jul 27 '15 at 20:13

2 Answers2

8

Something I learned recently, courtesy of Michael Hampton, is that an update to the Windows Malicious Software Removal Tool not only applies the update but also runs the tool, which accounts for the lengthy install time for that update. The following MS article has more details:

http://support.microsoft.com/en-us/kb/890830

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • That is interesting and I was not aware of that. But It seems from what i've been able to determine from event log and the MSRT logs @ %systemroot%\debug\mrt.log that the installation of the new monthly tool is done within 30 minutes and the scan is completed in about 2 additional minutes. The remaining 13 updates then take another 75 minutes. It does seem like the installation of the MSRT update takes a disproportionate amount of time though. – floyd Mar 17 '15 at 03:10
1

Search and delete the trace registry setting for windows update:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace

Those log entires will be gone.

MDT 2013 SP0, for one, is known to enable the debug tracing even when not asked to due to a bug.

ivan_pozdeev
  • 353
  • 4
  • 13
user297541
  • 11
  • 1