Windows Product Updates may stop responding or may use most or all the CPU resources

When you try to install a product update (for example, a security patch, a critical update, an update rollup, or a hotfix) for any of the products that are listed in the "Applies to" section of this article, the installation may stop responding (hang).

When this problem occurs, the Processes tab in Windows Task Manager may indicate that Update.exe is using most or all the CPU resources. To start Windows Task Manager, right-click an empty area on the taskbar, and then click Task Manager.

This problem occurs if both the following conditions exist:

• The Debug Programs user right (SeDebugPrivilege) was revoked from all users and groups, including administrators. By default, the Debug Programs user right is assigned only to administrators and to Local System. A user who has this user right can attach a debugger to any process.
• The product update that you are trying to install contains version 5.3.23.4 of Update.exe. This version requires the Debug Programs user right.
  
  To determine the version of Update.exe that is included with a Windows product update, follow these steps:
  1. Use the -x command-line switch to extract the product update package to a temporary folder. For example, to extract the English 826232 security patch for Microsoft Windows 2000 to the C:\826232 folder, run the following command:
     windows2000-kb826232-x86-enu -x:c:\826232
  2. Right-click the Update.exe file in the temporary folder that you created in step 1, and then click Properties. Typically, Update.exe is located in a folder that is named Update (for example, C:\826232\Update). The file version appears on the Version tab.

On October 29, 2003, Microsoft released several revised security patches that contain version 5.4.1.0 of Update.exe. Version 5.4.1.0 or later versions of Update.exe no longer require the Debug Programs user right. The following table lists the revised security patches that are available.

To work around this problem, grant the Debug Programs user right to the Administrators group. In Group Policy, the Debug Programs user right is located under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

Microsoft does not recommend that you revoke the Debug Programs user right from the Administrators group. If you revoke the Debug Programs user right from the Administrators group, Microsoft recommends that you use the updated security patches where available.

For additional information, visit the following Microsoft Web site to view the Microsoft Windows XP and Windows 2003 Security Hardening Guide: