缘起

近期项目上设备会自动更新windows10为windows11,通过搜索,搜索到第三方工具windows-update-blocker ,因为改工具支持命令行参数,故也很方便于集成。批处理大致如下

@echo off
pushd %~dp0
echo 开始禁用windows更新服务
%~dp0Wub_x64.exe /D /P
timeout 3

背后的操作

作为技术人,还是需要知道软件做了什么背后的操作,通过TotalUninstaller监控,获取到软件写入的注册表如下,实现的手段就是镜像劫持windows更新的进程,并且更新windows的组策略选项:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
"WubBlockLists"=hex(7):57,00,61,00,61,00,53,00,4D,00,65,00,64,00,69,00,63,00,\
  2E,00,65,00,78,00,65,00,00,00,57,00,61,00,61,00,73,00,4D,00,65,00,64,00,69,\
  00,63,00,41,00,67,00,65,00,6E,00,74,00,2E,00,65,00,78,00,65,00,00,00,57,00,\
  69,00,6E,00,64,00,6F,00,77,00,73,00,31,00,30,00,55,00,70,00,67,00,72,00,61,\
  00,64,00,65,00,2E,00,65,00,78,00,65,00,00,00,57,00,69,00,6E,00,64,00,6F,00,\
  77,00,73,00,31,00,30,00,55,00,70,00,67,00,72,00,61,00,64,00,65,00,72,00,41,\
  00,70,00,70,00,2E,00,65,00,78,00,65,00,00,00,55,00,70,00,64,00,61,00,74,00,\
  65,00,41,00,73,00,73,00,69,00,73,00,74,00,61,00,6E,00,74,00,2E,00,65,00,78,\
  00,65,00,00,00,55,00,73,00,6F,00,43,00,6C,00,69,00,65,00,6E,00,74,00,2E,00,\
  65,00,78,00,65,00,00,00,72,00,65,00,6D,00,73,00,68,00,2E,00,65,00,78,00,65,\
  00,00,00,45,00,4F,00,53,00,6E,00,6F,00,74,00,69,00,66,00,79,00,2E,00,65,00,\
  78,00,65,00,00,00,53,00,69,00,68,00,43,00,6C,00,69,00,65,00,6E,00,74,00,2E,\
  00,65,00,78,00,65,00,00,00,75,00,70,00,66,00,63,00,2E,00,65,00,78,00,65,00,\
  00,00,49,00,6E,00,73,00,74,00,61,00,6C,00,6C,00,41,00,67,00,65,00,6E,00,74,\
  00,2E,00,65,00,78,00,65,00,00,00,4D,00,75,00,73,00,4E,00,6F,00,74,00,69,00,\
  66,00,69,00,63,00,61,00,74,00,69,00,6F,00,6E,00,2E,00,65,00,78,00,65,00,00,\
  00,4D,00,75,00,73,00,4E,00,6F,00,74,00,69,00,66,00,69,00,63,00,61,00,74,00,\
  69,00,6F,00,6E,00,55,00,78,00,2E,00,65,00,78,00,65,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSnotify.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallAgent.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotification.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotificationUx.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\remsh.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SihClient.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdateAssistant.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upfc.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UsoClient.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaaSMedic.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaasMedicAgent.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe]
"Debugger"="/"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10UpgraderApp.exe]
"Debugger"="/"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings]
"TrayIconVisibility"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft]
"WindowsStore"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade"=dword:00000001
"DisableWindowsUpdateAccess"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc]
"Start"=dword:00000004
"WubLock"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc]
"Start"=dword:00000003
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc]
"Start"=dword:00000004
"WubLock"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000004
"WubLock"=dword:00000001

恢复为默认更新配置的注册表项

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoWindowsUpdate"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
"WubBlockLists"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSnotify.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\InstallAgent.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotification.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MusNotificationUx.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\remsh.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SihClient.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdateAssistant.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upfc.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UsoClient.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaaSMedic.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WaasMedicAgent.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10UpgraderApp.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings]
"TrayIconVisibility"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft]
"WindowsStore"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DisableOSUpgrade"=-
"DisableWindowsUpdateAccess"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DoSvc]
"Start"=dword:00000002
"WubLock"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc]
"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc]
"Start"=dword:00000003
"WubLock"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
"Start"=dword:00000002
"WubLock"=-

还可以通过注册表来暂停windows更新,操作如下:

  1. 按下 WIN 加 R 输入 regedit 进入注册表
  2. 点击 HKEY LOCAL-MACHINE
  3. 点击 SOFTWARE
  4. 点击 Microsoft
  5. 点击 WindowsUpdate
  6. 点击 UX
  7. 点击 Settings 然后空白区点击右键
  8. 选择新建,选择项,选择 dword 值 命名为 FlightSettingsMaxPauseDays 基数选择十进制

左边栏数值数据即可填写你想暂停更新的天数,然后确定即可此刻,再去 WINDOWS 更新界面,就会发现暂停更新的时间,就是我们刚刚写的,要多长有多长,万一后悔了想要恢复,也只需点击继续更新即可保留备用。