Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Windows Product Updates may stop responding or may use most or all the CPU resources


View products that this article applies to.

Symptoms

When you try to install a product update (for example, a security patch, a critical update, an update rollup, or a hotfix) for any of the products that are listed in the "Applies to" section of this article, the installation may stop responding (hang).

When this problem occurs, the Processes tab in Windows Task Manager may indicate that Update.exe is using most or all the CPU resources. To start Windows Task Manager, right-click an empty area on the taskbar, and then click Task Manager.

↑ Back to the top


Cause

This problem occurs if both the following conditions exist:
  • The Debug Programs user right (SeDebugPrivilege) was revoked from all users and groups, including administrators. By default, the Debug Programs user right is assigned only to administrators and to Local System. A user who has this user right can attach a debugger to any process.
  • The product update that you are trying to install contains version 5.3.23.4 of Update.exe. This version requires the Debug Programs user right.

    To determine the version of Update.exe that is included with a Windows product update, follow these steps:
    1. Use the -x command-line switch to extract the product update package to a temporary folder. For example, to extract the English 826232 security patch for Microsoft Windows 2000 to the C:\826232 folder, run the following command:
      windows2000-kb826232-x86-enu -x:c:\826232
    2. Right-click the Update.exe file in the temporary folder that you created in step 1, and then click Properties. Typically, Update.exe is located in a folder that is named Update (for example, C:\826232\Update). The file version appears on the Version tab.

↑ Back to the top


Resolution

On October 29, 2003, Microsoft released several revised security patches that contain version 5.4.1.0 of Update.exe. Version 5.4.1.0 or later versions of Update.exe no longer require the Debug Programs user right. The following table lists the revised security patches that are available.
Security patchWindows versionSecurity bulletin
826232Windows 2000http://www.microsoft.com/technet/security/bulletin/ms03-042.mspx
828035Windows 2000, Windows XP, Windows Server 2003http://www.microsoft.com/technet/security/bulletin/ms03-043.mspx
824141Windows XPhttp://www.microsoft.com/technet/security/bulletin/ms03-045.mspx

↑ Back to the top


Workaround

To work around this problem, grant the Debug Programs user right to the Administrators group. In Group Policy, the Debug Programs user right is located under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment.

↑ Back to the top


More information

Microsoft does not recommend that you revoke the Debug Programs user right from the Administrators group. If you revoke the Debug Programs user right from the Administrators group, Microsoft recommends that you use the updated security patches where available.

↑ Back to the top


References

For additional information, visit the following Microsoft Web site to view the Microsoft Windows XP and Windows 2003 Security Hardening Guide:

↑ Back to the top


Keywords: KB830846

↑ Back to the top

Article Info
Article ID : 830846
Revision : 12
Created on : 2/3/2011
Published on : 2/3/2011
Exists online : False
Views : 117