New
#1
W7 X64 Windows update turned itself on for all products.
This computer is a new build as of mid december. I installed W7 x64 sp1 on it with no further patches except for one needed for solidworks to run.
As I always do the first thing I did was turned off auto updates. I also ran a utility "Kill w10 upgrade nag"
The computer has been heavily used since and constantly online. Everything appeared fine with no nags or associated traffic until today.
The only strange thing I noticed on the network for the last 2 or 3 days was an almost constant low bw (average 2.5kb) flow to this computer. I spent some time trying to identify it's source and purpose. The addresses involved were ipv6 around ff02::1:3. The purpose is supposedly to do with the replacement of ipv4 DHCP server and provides an automatic version of DCHP for ipv6. No changes were made to the network or software installed on this machine at the time this started to appear.
When I started up my computer this morning shortly after booting I got a popup message that windows needed to restart in order to install updates.
I went and had a look at the updates on this machine and it now showed dozens up KB's all with today's date Feb 9. This is probably everything since SP1. It included
KB 3035583 - According to Microsoft, this update enables "additional capabilities for Windows Update notifications when new updates are available".
I have backups of every 3 hours for the previous month and daily before that so I decided out of curiosity to let windows update itself. I first uninstalledKB 3035583.
The computer re-booted successfully. The first thing I check was the update settings which were all on. I turned them off and again rebooted the computer to assure update settings weren't still turned on in memory.
I watched internet bound traffic using the avast firewall and also wireshark. After a few minutes I noticed a new svchost thread start to 13.107.28.43 which turns out to be a microsoft update server. I blocked that IP in the computer's firewall, not the router's and again restarted the computer. The router is a commercial grade one through which I provide wifi internet to my remote community through 2 ganged satellite links.
I had a look in \window\SoftwareDistribution\Download\ and deleted all the files there.
After a few minutes the low bw traffic started up again. It was now from an akami server.
I should have checked where that process # was initiated from but didn't. I then manually disabled the WindowsUpdate service which was listed but not running.
I had to go out for about half an hour.
When I got back I checked the download directory again and there were 394 new directories in with most being empty. There were 14 directories with a total of 940mb of data in them.
The router I use is a Peplink Balance 20 which does an excellent job of logging internet bw. I can identify by hour/day/month each users bw individually. During the period I was gone the total bw down was 86mb. Where did the 950mb of data come from?
I was suspicious of the ipv6 traffic and suspecting possibly MS was doing something on ipv6 networks to multicast w10 upgrade files across a local network if there were multiple computers that had been upgraded or had upgrade files downloaded to them. I know some of the computers on this network are now W10 and at least 1 is currently being upgraded.
I renamed the \download\ directory \download.delete\ to see if \download\ was automatically recreated. I disabled ipv6 on the router and also on my W7 computer. So far after about 2 hours there is no sign of update downloading.
Is there anything else I can do to stop the updating?