Windows 7 - wuauclt.exe stealing CPU constantly. No access to Windows Update

Asked By Bjoer on 29-May-07 12:36 PM
Hi; i have tried several fixes and patches and whatever they are called! When
I try to connect to windows update the system slows down and perhaps after 10
minutes I "get through" and Windows Update checks my computer. Then I receive
an error message > cannot update. The process wuauclt.exe runs constantly
form startup and steals 50% CPU. When I try to shut down the process it just
restarts again. Trying to shut down the process via cmd does not function
either > get the message: the process cannot be stopped. This is the latest
registry in the windows update log file:
2007-05-29	17:47:51:265	3768	970	Misc	  = Process:
C:\WINDOWS\system32\wuauclt.exe
2007-05-29	17:47:51:265	3768	970	AUClnt	FATAL: Error: 0xc8000408. wuauclt
datastore: failed to spawn COM server
2007-05-29	17:47:51:375	 780	d38	DtaStor	FATAL: DS: Out of proc datastore
process exited with error 0xc8000408 before signalling ready event.

Anyone?




MowGreen [MVP] replied on 29-May-07 01:34 PM
XP Pro - *right* click C:\ (or the *root drive*), choose Properties,
Security
Add System with Full Control
XP HomeEdition - boot to Safe Mode to access the Security tab by logging
on as Admin

Specifically, what 'fixes and patches and whatever they are called' were
installed ?


MowGreen  [MVP 2003-2007]
===============
*-343-*  FDNY
Never Forgotten
===============
Robin Walker [MVP] replied on 29-May-07 02:17 PM
Although your description does not match the usual symptoms, it would be
worth upgrading to the latest versions of Windows Update, and then checking
for any symptoms remaining after that, in case the issue is now fixed.
Could you also confirm whether you are trying to use "Windows Update" or

Before doing the items below, ensure that you have disabled all 3rd-party
anti-virus, anti-spyware, popup-blocker, download accelerator, or firewall.
If you disabled a 3rd-party firewall, then re-enable Windows Firewall for
the duration.

You might need to stop Automatic Updates while you apply these two fixes:
open a command prompt window and type the command:

net stop wuauserv

For a fix to the above problem, please do BOTH of the following:

1. (not for Vista) If your update history shows that you do not yet have
update KB927891 installed, then download and install update KB927891 ver3:
and then restart Windows.

2. For 32-bit systems, download and save to hard disk, and then install:

If this produces an error message about "Update agent already
installed", then execute the installer again manually, with parameter
/wuforce as in (at a comand prompt window):

WindowsUpdateAgent30-x86.exe  /wuforce

Then visit Microsoft Update again, and report back whether your problem is
fixed.

--
Robin Walker [MVP Networking]
rdhw@cam.ac.uk
Bjoer replied on 29-May-07 04:46 PM
Well, i thougt it was a problem with wuauclt.exe because i did not have the
latest updates from Windows Update. I have them now, after manual
installation. That was what i meant with "fixes and pathes and so on"...> bad
english I guess! Anyway; i have rebooted to safe mode and checked full access
for "SYSTEM" under the security tab. It was allready set to full access....
so ive still got the problem. Thank you anyway for your reply and suggestion.
PA Bear replied on 29-May-07 05:03 PM
[good luck, bromow]
Bjoer replied on 29-May-07 05:33 PM
I am using Windows Update. Using "net stop wuaserv" does not stop the
wuauclt.exe process from running. Shouldnt it? Anyways; I have followed your
steps, after turning off Trend Micro Pc Cillin and Windows Defender (who
doesnt gain any updates either...). Under "step 2" I had to run the installer
manually because I got the message "...allready installed". After some time I
got installation failure with the code 0x8007041d....
Bjoer replied on 29-May-07 06:20 PM
This could perhaps be a challenge for you guys (or girls for that matter) due
to my lack of good english... The problem is:

1)wuauclt.exe is running constantly using approx 50% CPU
2)Connection to Windows Update is very slow. After a while I get the error
code: 0x80248011.
3)Less important: Windows Defender is neither able to gain updates. I have
installed the latest version.

After the last attempt to use windows update, I have this from the logfile.
(Somewhat different from my first post...):

2007-05-29	23:56:26:859	3188	97c	Misc	===========  Logging initialized
(build: 7.0.6000.374, tz: +0200)  ===========
2007-05-29	23:56:26:859	3188	97c	Misc	  = Process:
C:\WINDOWS\system32\wuauclt.exe
2007-05-29	23:56:26:859	3188	97c	Misc	  = Module:
C:\WINDOWS\system32\wuaueng.dll
2007-05-29	23:56:26:859	3188	97c	DtaStor	FATAL: Failed to initialize
datastore, error = 0xC8000408
2007-05-29	23:56:26:859	3188	97c	Misc	===========  Logging initialized
(build: 7.0.6000.374, tz: +0200)  ===========
2007-05-29	23:56:26:859	3188	97c	Misc	  = Process:
C:\WINDOWS\system32\wuauclt.exe
2007-05-29	23:56:26:859	3188	97c	AUClnt	FATAL: Error: 0xc8000408. wuauclt
datastore: failed to spawn COM server
2007-05-29	23:56:26:875	 788	76c	DtaStor	FATAL: DS: Out of proc datastore
process exited with error 0xc8000408 before signalling ready event.
2007-05-29	23:56:26:875	 788	76c	Agent	  * WARNING: Exit code = 0x80248011
2007-05-29	23:56:26:875	 788	76c	Agent	*********
2007-05-29	23:56:26:875	 788	76c	Agent	**  END  **  Agent: Finding updates
[CallerId = WindowsUpdate]
2007-05-29	23:56:26:875	 788	76c	Agent	*************
2007-05-29	23:56:26:875	 788	76c	Agent	WARNING: WU client failed Searching
for update with error 0x80248011
2007-05-29	23:56:26:890	 604	d00	COMAPI	>>--  RESUMED  -- COMAPI: Search
[ClientId = WindowsUpdate]
2007-05-29	23:56:26:890	 604	d00	COMAPI	  - Updates found = 0
2007-05-29	23:56:26:890	 604	d00	COMAPI	  - WARNING: Exit code = 0x00000000,
Result code = 0x80248011
2007-05-29	23:56:26:890	 604	d00	COMAPI	---------
2007-05-29	23:56:26:890	 604	d00	COMAPI	--  END  --  COMAPI: Search
[ClientId = WindowsUpdate]
2007-05-29	23:56:26:890	 604	d00	COMAPI	-------------
2007-05-29	23:56:26:890	 604	564	COMAPI	WARNING: Operation failed due to
earlier error, hr=80248011
2007-05-29	23:56:26:890	 604	564	COMAPI	FATAL: Unable to complete
asynchronous search. (hr=80248011)
2007-05-29	23:56:31:890	 788	76c	Report	REPORT EVENT:
{A09C15CF-C615-4F1B-9E7F-054A008A8E9C}	2007-05-29
23:56:26:875+0200	1	148	101	{00000000-0000-0000-0000-000000000000}	0	80248011	WindowsUpdate	Failure	Software
Synchronization	Windows Update Client failed to detect with error 0x80248011.
MowGreen [MVP] replied on 29-May-07 06:22 PM
0x8007041d The service did not respond to the start or control request
in a timely fashion

Open the Services console by going to Start > Run > type in

services.msc
Click OK or press Enter

Locate Automatic Updates.
Double click *on* it
The Startup type must be set to Automatic
If the service is stopped then click the Start button

Now locate Background Intelligent Transfer Service
Double click *on* it
The Startup type can be set to Manual or Automatic
It CAN NOT be set to Disabled or the system will not update
If the service is stoppend then click the Start button

The error message is most likely in regards to you having stopped
Automatic Updates by running net stop wuauserv
Restart the service via the Services console
Now try to install WindowsUpdateAgent30-x86.exe

In a previous post you stated:


These are the boxes that need to be checked for System under Allow:

Full Control
Modify
Read & Execute
List Folder Contents
Read
Write


MowGreen  [MVP 2003-2007]
===============
*-343-*  FDNY
Never Forgotten
===============
Robin Walker [MVP] replied on 29-May-07 06:42 PM
Please confirm the version number and last-modified date of these files:

C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msi.dll

Please search the system for any other file named wuauclt.exe in a different
directory (for instance, c:\WINDOWS\TEMP)which might be a trojan.  There
have been previous reports of high CPU usage in wuauclt.exe - and they have
been trojans with the same name as the automatic update client.

Also check in msconfig to see if wuauclt.exe is being launched at every
boot - if so it is definitely a trojan.  The real wuauclt.exe does not get
launched as a Run item.

--
Robin Walker [MVP Networking]
rdhw@cam.ac.uk
Bjoer replied on 30-May-07 12:22 PM
I have the following:

C:\WINDOWS\system32\wuauclt.exe: version number 7.0.6000.374, last modified
16. april 2007

C:\WINDOWS\system32\msi.dll: version number 3.1.4000.4039, last modified 18.
april 2007

Searching for wuauclt.exe on my computer gave 2 hits: in c:\windows\system32
and c:\windows\system32\dllcache

In msconfig there is no wuauclt.exe incident under start up. Howewer I have
one entry here with no name, it launches as a run item. Only the marked
checkbox shows for this incident. No text.

No trojan then I guess...?

Bjoern
Bjoer replied on 30-May-07 12:27 PM
Under services.msc both Automatic updates and Background Intelligent Transfer
Service are (and where) set to automatic. Restarted the services and retried
installation of the update agent (WindowsUpdateAgent30-x86.exe). Got the same
error again: 0x8007041d

Bjoern
Robin Walker [MVP] replied on 30-May-07 01:32 PM
Good.


Good.


No evidence of one.

Try downloading and running Dial-a-Fix from
http://wiki.djlizard.net/Dial-a-fix

Use its options to fix Windows Installer, fix Windows Update, and all the
Registration Center options.
Then click "GO"

You should also click "Flush SoftwareDistribution".

Restart Windows, log in again, and see if Windows Update is now working.

--
Robin Walker [MVP Networking]
rdhw@cam.ac.uk
MowGreen [MVP] replied on 30-May-07 02:01 PM
Did you check the Permissions for the root drive as I posted
previously ?


You previously posted:


wuauclt.exe is spawned from the Automatic Updates service and will not
be listed in MSConfig.
Any entry in MSConfig that's loading on Startup with no name is
*usually*, but not always, suspect.
In MSConfig, look on the Startup page once more for the Location of
where the 'no name' entry is starting from
Then open the registry editor and see if any other information is
available in that subkey
The below subkeys are *usually* used to load 'items' on boot:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Trend Micro is not known to damage BITS nor the AU service

0x80248011 SUS_E_DS_UNABLETOSTART
Could not create an out of proc datastore object

The system STILL needs to have the Permissions correctly.
Is System Restore functioning properly ?
If not, then PLEASE check the Permissions.

If the system can not access Windows Update *AFTER* checking the
Permissions on the root drive, then

1-Click Start, click Run and then type :

net stop wuauserv
Click OK or press Enter

2-Click Start, click Run for each of the below and then type these in,
*click OK* after each one :

regsvr32 wuapi.dll

regsvr32 wups.dll

regsvr32 wuaueng.dll

regsvr32 wuaueng1.dll

regsvr32 wucltui.dll

regsvr32 wuweb.dll

regsvr32 jscript.dll

regsvr32 atl.dll

regsvr32 softpub.dll

regsvr32 msxml3.dll

net start wuauserv

Restart the system and try to access WU now
*[NOTE: Please note the spaces as they are critical in running the
commands. Copy & paste them if that's easier]*


MowGreen  [MVP 2003-2007]
===============
*-343-*  FDNY
Never Forgotten
===============
Bjoer replied on 30-May-07 03:03 PM
Yes, all these boxes are checked in the root drive (c) for System under Allow

Bjoern
Bjoer replied on 30-May-07 05:43 PM
Sorry, you wrote more in your latest post..didnt see that:


The "no name entry" has the location
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. In fact most of the
incidents here has this location. None of the above mentioned subkeys is
registered on the startup page in msconfig. Can not find the
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the registry
(regedit.exe). I suspect that I have misunderstood something here...?
Howewer; Would it be an idea to create a new point in system restore,
deactivate the "no name entry", and restart to see if it has anything to do
with my unsolved problem? I guess this incident isnt crucial since there are
no name attached?


Yes, looks like it...


When I do that I get a black screen a short while. No confirming message
that it is stopped. Is that right?

I have manually done the rest according to your suggestion, with the dll
files ++. Then restarted and tried WU again. The problem remains; wuauclt.exe
runs constantly and the WU isnt working....

Bjoern
Bjoer replied on 30-May-07 05:51 PM
Still not working im afraid...I got one error message when running
dial-a-fix: Error during registration of C:\WINDOWS\system32\wuaueng.dll -
version: 7.0.6000.374. The error returned is: Tjenesten er merket for
sletting.

The last norwegian sentence above should mean something like "The service is
to be deleted/marked or checked to be deleted"

Bjoern
Robin Walker [MVP] replied on 30-May-07 06:31 PM
That's strange.  If you launch "services.msc" to look at the Windows
services, and look at the line for "Automatic Updates", does it say it is
Running?  Is it set to "Automatic" start?

--
Robin Walker [MVP Networking]
rdhw@cam.ac.uk
Bjoer replied on 30-May-07 06:37 PM
I have now removed this "no name entry". Looks like the computers behaviour
is not affected by this, not the problems I have neither...


Would it be an idea to create a new point in system restore,
deactivate the "no name entry", and restart to see if it has anything to do
with my unsolved problem? I guess this incident isnt crucial since there are
no name attached?
Bjoer replied on 31-May-07 05:46 AM
Yes; automatic updates is running and it is set to automatic start.

Bjoern
Robin Walker [MVP] replied on 31-May-07 06:21 AM
Sorry, I am right out of ideas - did you try the "Flush SoftwareDistribution"
option of Dial-a-fix?

--
Robin Walker [MVP Networking]
rdhw@cam.ac.uk
Bjoer replied on 31-May-07 06:45 AM
Yes, I also tried the "Flush SoftwareDistribution" option in
Dial-a-fix...Thank you anyway for your contribution and tips

Bjoern
Robert Aldwinckle replied on 31-May-07 09:41 AM
To get more detail about a failure with  regsvr32.exe  you can use
DependencyWalker  and its  Profile  command.   The trace it creates
can be captured; so your trace could be compared to a normal trace.

BTW  the  0x80248011  apparently has something to do with the TIF.

http://www.updatexp.com/0x80248011.html

(Live Search for
0x80248011
)


Have you completely cleared the  TIF?   If just using the normal Delete Files...
command seems not to be enough you could also delete the whole folder.
To do that you need to use a different user with admin authority or boot from
an alternate partition, etc.   (The advantage is that the TIF's index.dat file gets
reinitialized  AND  resized.)   Another way to resize the TIF's index.dat is
to use CacheSentry which can do it over a boot.


HTH

Robert Aldwinckle
---
Bjoer replied on 31-May-07 12:45 PM
PROBLEM IS FIXED !!! I thought it would be an idea to try Dial-a-fix in safe
mode. That did the trick. CPU is "back to normal" and WU works just fine.
Defender works fine to. Robin; you get my vote!

Bjoern
Bjoer replied on 31-May-07 12:48 PM
Problem is fixed by running Dial-a-fix in safe mode
(http://wiki.djlizard.net/Dial-a-fix)
Robin Walker [MVP] replied on 31-May-07 02:07 PM
Thanks for letting us know - I shall take a note of that trick!

--
Robin Walker [MVP Networking]
rdhw@cam.ac.uk
Jim Byrd replied on 31-May-07 06:08 PM
And I, also.  Thanks!

--
Regards, Jim Byrd,
My Blog, Defending Your Machine,
http://defendingyourmachine2.blogspot.com/



Robin Walker [MVP] <rdhw@cam.ac.uk> typed:
MowGreen [MVP] replied on 31-May-07 06:23 PM
Thanks for posting back with this info, Bjoern. It sure sounds as if
'something' isn't playing nice with system files needed to update.


The only message will be the one stating the the Automatic Updates
service is stopping and then the Desktop will come back up.

Since Dial-a-fix worked in Safe Mode, that may be an indication that
Trend or other security software is hampering scripting at Windows Update.


MowGreen  [MVP 2003-2007]
===============
*-343-*  FDNY
Never Forgotten
===============
mgross33 replied on 05-Jun-07 06:17 AM
PLEASE READ THIS. I FIX PCS FOR A LIVING. MY CUSTOMER HAS EXACTLY THE SAME
PROBLEM AND I DO MEAN EXACTLY RIGHT DOWN TO THE 50% CPU PART.
THERE ARE A FEW SPYWARE/VIRUS REMOVAL THINGS I HAVE'T TRIED YET BUT THIS PC
WHICH **DID** HAVE A LOT OF SECURITY PROBLEMS HAS HAD ALL OF THEM REMOVED AND
THIS PROBLEM REMAINS WHICH COULD WELL BE A MS OS BUG (DUE POSSIBLY TO A
RECENT MS UPDATE). THE REMAINING SECURITY REMOVAL THINGS ARE MINOR AND
ESSENTIALLY "SHOTS IN THE DARK" THAT ARE UNLIKELY TO WORK.

I STRONGLY SUSPECT A MS BUG HERE DUE TO THE EXTRAORDINARY SIMILARITY IN THE
DATES OF THIS POST AND WHEN I SAW THE PROBLEM, ALMOST THE EXACT SAME DAY.

I **WILL** POST HERE IF MY REMAINING WEAK SECURITY REMOVAL EFFORTS FIX THIS
PROBLEM.

MIKE GROSS mgross333@yahoo.com
PRESIDENT
THE COMPUTER DOCTOR
WINCHESTER, MA
Robin Walker [MVP] replied on 05-Jun-07 06:51 AM
Since you have posted in this thread, you should try all the fixes suggested
earlier in this thread.

--
Robin Walker [MVP Networking]
rdhw@cam.ac.uk
PA Bear replied on 05-Jun-07 11:08 AM
If you are an IT pro, you should know that posting in all caps is considered
SHOUTING!  Did you intened to SHOUT?
Phil Corbett replied on 01-Dec-08 02:52 PM
Greetings!
Since Dial Fix fixed it, does anyone know what it actually fixed or should I now turn to their site to research that product?  Please advise.