Inside Windows-Update

von Mike Hartmann

A black box approach

Our first approach exploits the fact that Windows Update uses the WinInet API to handle the SSL connection and data transmission. By hooking into the HttpOpenRequest() function and examining the passed arguments we learn that the data that is sent from the user's computer to the Microsoft server through the SSL connection consists of HTTP POST requests. Hooking also into the InternetWriteFile() function we are then able to peek at the data that is posted to the Microsoft server before it is encrypted.

Hooked into communication: With our dump-tool we are able to see exactly which data is transferred to Windows Update.

This is what the tecDump utility does. It asks for the name of a log file, starts Internet Explorer, opens the Windows Update URL and hooks into InternetWriteFile(). When Scan for updates is selected in Windows Update, the tecDump utility becomes active and writes a hex dump of the intercepted data to the chosen log file.

The utilities that we provide with this article are based on undocumented behavior of Windows Update. It is likely that an update, e.g. a new service pack or a hotfix, will change this behavior and therefore render the tools unusable.

Auf der nächsten Seite: The communication protocol

Vorherige Seite

Seite 3 von 16

Nächste Seite

Inside Windows-Update
- Basic observations
- A black box approach
- The communication protocol
- Parameter: query
- Parameter: systemInfo

- The PID attribute
- The COM component
- GetSystemSpec
- The utility control.exe
- Conclusions
- Update: Sample HW-Config

Windows, update, microsoft, privacy

Inside Windows Product Activation
The current public discussion of Windows Product Activation (WPA) is characterized by uncertainty and speculation. In this ...

Bisherige Bewertungen

Wie bewerte ich?

Inside Windows-Update

A black box approach