Windows Update services are deleted at every restart

After you restore the missing Windows Update, BITS, or the Update Orchestrator Service services using registry files, you find that the services vanish again after a restart. They don’t appear in the Services MMC.

Cause

This issue happens if your computer is infected. Malware running as a service or scheduled task is deleting the Windows Update (“wuauserv”), Background Intelligent Transfer Service (“BITS”), Update Orchestrator Service (“UsoSvc”), Delivery Optimization (“DoSvc”), and the Windows Update Medic Service (WaasMedicSvc) services at every restart.

For example, a trojan named trojan.Siggen18.38683, which runs as a scheduled task, deletes all the Windows Update-related services at every startup. This is just an example. There may be similar trojans that do this.

How to Resolve the Problem

Run a Malwarebytes scan

Download Malwarebytes (https://www.malwarebytes.com/) , update the definitions, and run a full scan.

Editor’s note: In a recent case, the trojan “Trojan.Siggen18.38683” seems to have somehow evaded the detection engines of Malwarebytes and Microsoft Defender Antivirus, even though 41 Antivirus vendors (including Malwarebytes and Microsoft) flagged it as malicious. You can read about it in this Microsoft Answers thread.

Download Autoruns

After eliminating malware from the computer, download the Autoruns utility from Microsoft, and run the program as administrator.

Inspect the Autoruns output thoroughly. In a recent case, we found that the trojan created a fake scheduled task named “GoogleUpdateTaskMachineGNC” that ran the following file at every startup.

%ProgramFiles%\Google\Chrome\updaterchr.exe

It’s an unsigned/unverified file. Always be suspicious of the “(Not Verified)” entries in Autoruns; Autoruns highlights unverified items in pink. However, it doesn’t mean that the verified entries don’t require scrutiny. Every entry needs to be checked.

Note that the file updaterchr.exe is malware. It hides inside the “Google\Chrome” directory to confuse the user.

After searching the web for the file name and task name, I came across the Dr.Web article. As you can see, the trojan deletes all the services related to Windows Update.

See the VirusTotal report for the file.

• VirusTotal – File – 7330c3326d27f9cef7e9e11850fdb5f84ffcc1b9ddbf5bcc4456eaf4b397ac39
• Automated Malware Analysis Report – Generated by Joe Sandbox

The trojan also disables the following Microsoft Update scheduled tasks.

"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun"
"\Microsoft\Windows\WindowsUpdate\Automatic App Update"
"\Microsoft\Windows\WindowsUpdate\Scheduled Start"
"\Microsoft\Windows\WindowsUpdate\sih"
"\Microsoft\Windows\WindowsUpdate\sihboot"
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant"
"\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun"

It deletes the following Windows Update service registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsoSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bits
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dosvc

Deleting the task “GoogleUpdateTaskMachineGNC” and the rogue file resolved the problem.

Note: Your system may have a *different* kind of malware and in a different startup entry point (not necessarily a scheduled task). The above was provided as an example.

---

Reset Windows Security “Exclusions”

The above virus creates some exclusions in Windows Security. After cleaning up the entries, open Windows Security and remove these folders from the list of “Exclusions”:

• C:\Users\{username}
• C:\Program Files

---

Restore the Windows Update Services

• Restore the missing Windows Update (wuauserv) Service
• Restore the missing BITS Service
• Restore the missing “Update Orchestrator Service”

It’s crucial to eliminate the viruses from the computer before recreating the Windows Update/BITS/UsoSvc/DoSvc/WaasMedicSvc service registry keys.