Inside Windows-Update

A black box approach

Our first approach exploits the fact that Windows Update uses the WinInet API to handle the SSL connection and data transmission. By hooking into the HttpOpenRequest() function and examining the passed arguments we learn that the data that is sent from the user's computer to the Microsoft server through the SSL connection consists of HTTP POST requests. Hooking also into the InternetWriteFile() function we are then able to peek at the data that is posted to the Microsoft server before it is encrypted.

This is what the tecDump utility does. It asks for the name of a log file, starts Internet Explorer, opens the Windows Update URL and hooks into InternetWriteFile(). When Scan for updates is selected in Windows Update, the tecDump utility becomes active and writes a hex dump of the intercepted data to the chosen log file.

The utilities that we provide with this article are based on undocumented behavior of Windows Update. It is likely that an update, e.g. a new service pack or a hotfix, will change this behavior and therefore render the tools unusable.