Windows Update services are deleted at every restart

After you restore the missing Windows Update, BITS, or the Update Orchestrator Service services using registry files, you find that the services vanish again after a restart. They don’t appear in the Services MMC.

windows update service missing in the list

Cause

This issue happens if your computer is infected. Malware running as a service or scheduled task is deleting the Windows Update (“wuauserv”), Background Intelligent Transfer Service (“BITS”), Update Orchestrator Service (“UsoSvc”), Delivery Optimization (“DoSvc”), and the Windows Update Medic Service (WaasMedicSvc) services at every restart.

For example, a trojan named trojan.Siggen18.38683, which runs as a scheduled task, deletes all the Windows Update-related services at every startup. This is just an example. There may be similar trojans that do this.

How to Resolve the Problem

Step 1: Run a Malwarebytes scan

Download Malwarebytes (https://www.malwarebytes.com/) , update the definitions, and run a full scan.

malwarebytes scanner dashboard

Editor’s note: In a recent case, the trojan “Trojan.Siggen18.38683” seems to have somehow evaded the detection engines of Malwarebytes and Microsoft Defender Antivirus, even though 41 Antivirus vendors (including Malwarebytes and Microsoft) flagged it as malicious. You can read about it in this Microsoft Answers thread.


Step 2: Remove rogue Scheduled Tasks and Services Using Autoruns

After eliminating malware from the computer, download the Autoruns utility from Microsoft, and run the program as administrator.

Inspect the Autoruns output thoroughly. In a recent case, we found that the trojan created a fake scheduled task named “GoogleUpdateTaskMachineGNC” or “UpdateTaskMachineQC” that ran one of the following files at every startup.

C:\Program Files\Google\Chrome\updater.exe
%ProgramFiles%\Google\Chrome\updaterchr.exe

windows update, bits, usosvc deleted at restart

It’s an unsigned/unverified file. Always be suspicious of the “(Not Verified)” entries in Autoruns; Autoruns highlights unverified items in pink. However, it doesn’t mean that the verified entries don’t require scrutiny. Every entry needs to be checked.

windows update, bits, usosvc deleted at restart

tips bulb iconWhen in doubt, upload the module to VirusTotal to see if it’s malware. Or use Autoruns’s built-in option to upload the file hash to VirusTotal. Select the suspicious item in the list, click the “Entry” menu, and click “Check VirusTotal.” [Ref: Autoruns | Microsoft Press Store]

autoruns check virus total

Note that the file updaterchr.exe is malware. It hides inside the “Google\Chrome” directory to confuse the user.

After searching the web for the file name and task name, I came across the Dr.Web article. As you can see, the trojan deletes all the services related to Windows Update.

See the VirusTotal report for the file(s).

The trojan also disables the following Microsoft Update scheduled tasks.

"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun"
"\Microsoft\Windows\WindowsUpdate\Automatic App Update"
"\Microsoft\Windows\WindowsUpdate\Scheduled Start"
"\Microsoft\Windows\WindowsUpdate\sih"
"\Microsoft\Windows\WindowsUpdate\sihboot"
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant"
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun"

It deletes the following Windows Update service registry keys:



HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bits
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dosvc

Deleting the task “GoogleUpdateTaskMachineGNC” and the rogue file resolved the problem.

Note: Your system may have a *different* kind of malware and in a different startup entry point (not necessarily a scheduled task). The above was provided as an example.

Realtek Audio Updater (Fake)

On another system, a fake Realtek Audio Updater program (updater.exe) caused the issue. The rogue module usually exists in the following folder:

C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe

And it’s configured to run as a scheduled task with the highest privileges.

System32\Tasks\Realtek => C:\Program Files\Realtek\Realtek High Definition Audio\Updater.exe

At every startup, the rogue Updater.exe process deletes your Windows Update-related services.

Fake Driver Updater

In another case, a fake Driver Updater caused the issue. The rogue task deleted the WU-related services whenever it was run.

System32\Tasks\DriverSetup => C:\Program Files\DriverSetup\Driver\DriverSetup.exe

VirusTotal – File – DriverSetup.exe.


Step 3: Reset Windows Security “Exclusions”

The above virus creates some exclusions in Windows Security. After cleaning up the entries, open Windows Security and remove these folders from the list of “Exclusions”:

  • C:\Users\{username}
  • C:\Program Files

To reset the exclusions en masse, see the article How to Bulk Reset Exclusions in Windows Defender.


Step 4: Restore the missing Windows Update Services

The last step will be to restore the missing services. After importing the registry files mentioned in the following articles, the system requires a reboot for the changes to take effect.

It’s crucial to eliminate the viruses from the computer before recreating the Windows Update/BITS/UsoSvc/DoSvc/WaasMedicSvc service registry keys.


One small request: If you liked this post, please share this?

One "tiny" share from you would seriously help a lot with the growth of this blog. Some great suggestions:
  • Pin it!
  • Share it to your favorite blog + Facebook, Reddit
  • Tweet it!
So thank you so much for your support. It won't take more than 10 seconds of your time. The share buttons are right below. :)

Ramesh Srinivasan is passionate about Microsoft technologies and he has been a consecutive ten-time recipient of the Microsoft Most Valuable Professional award in the Windows Shell/Desktop Experience category, from 2003 to 2012. He loves to troubleshoot and write about Windows. Ramesh founded Winhelponline.com in 2005.

Leave a Reply