Category Archives: Windows Command Line

Windows update error?!?

Hi guys,

Uptill reacently we start getting messages in our client system logs stating something like;
The Automatic Updates service terminated with the following error: The class is configured to run as a security id different from the caller. 

To be honost, we tried different aproaches and researched different angles on this issue. Found articles about BITS and other security stuff, but none realy helped. The following is true in our envirnoment.

1. We dont use WSUS.
2. We have a Native 2003 Domain
3. We use Windows XP servicepack 2
4. We do use network policies but for some illusive buisness requirements we dont enforce updates (developers…. )

Here are some things that where true on the issue.
1. We couldnt start or stop the windows update service (wuauserv.dll / wuaueng.dll) and got an access denied message.
2. We couldnt register the various dlls into windows.
3. We couldnt rewrite the BITS entries also getting an access denied message.
4. We couldnt enable “interactive” mode in the security>logon tab of the service getting… Yea an access denied message.

“Update on this Issue”

The problem was somewhat illusive to us, but we found the problem! 🙂

 The behaviour as described above is caused when a network policy is used to enforce the service configuration (Windows Update Service) itself.

In the Machine portion of a GPO you can browse down to : Computer Configuration >Windows Settings > Security > System Services. Here you can configure various aspects of the winows services, like force the messanger service to be disabled. In our case the Windows Update Service was forced to be Automatic and with thus (check the permisssions button) the rights on that service…

Just remove the policy from the Windows Update service service and control the update service using the aprop. policies found under : Computer Configuration > Administrative templates > Windows Components > Windows Update instead.

This should fix the Id is other then caller issue 😉

Just use the “gpupdate /force” command on the clients that realy need some updates, and or wait till the next logon, or 90 Minutes (default gpo refresh time)…

Gl & Rgrds, Chris


Memo : Windows NTP configuration

Ill be short about it, time is important!

The old way….

Net time /

The adviced way….
Register the time service.

w32tm /register

Configure it to sync with an external ntp server.

w32tm /config /update /manualpeerlist:”” /syncfromflags:MANUAL /reliable:YES

View the current stats

w32tm /monitor

Little warning, i feel should be made.
When you are updating back in time, the service might need some time to slowly correct the time. This is because else conflicts might arise with time dependant services and the like. Keep an eye on your windows Logs and use the /monitor switch the follow the ntp service.

Check which NTP pool to use for your own country at this location : Also, the listed pools mainly consist of STRATUM 2 public servers. This should be correct enough for your local network ^^.

Make sure that the ntp service can be reached, and make sure DNS is available. Else resolve the pool addresses (that may change over time).

Memo : Find duplicate files in network shares.

Do you have a share floating arround on your network that is basicaly a collection of files that realy need some sorting? But sorting that chaos would mean rebuilding that whole tree? Well you might want to try this 😉

1. Download the Swiss File Knife from SourceForge.
2. Copy the executable and put it on your desktop.
2. Copy this baby to C:\windows by typing the command underneath in run.  

cmd.exe /c “copy c:\documents and settings\%username%\desktop\sfk152.exe c:\windows\sfk.exe”     (xp)
cmd.exe /c “copy c:\users\%username%\desktop\sfk152.exe c:\windows\sfk.exe”  (vista)

3. Open the cmd prompt by typing “cmd.exe” in the run.
4. Open or map a network location using the following command(s).

If authentication as a different user is needed your better off using this one..
net use X: \\the.server.ip.addr\ShareName\ user:domain\username  UPN usernames are also allowed “/user:username@domain.ext”
pushd  \\the.server.ip.addr\ShareName

5. verify that the network location is your current location “C:\ or H:\ in networks is not correct ;).
6. Run the Swiss File Knifecommand and redirect any output by using the following command.

sfk dupfind . > “C:\documents and settings\%username%\desktop\sfkoutput.txt”

Thought this is also a nice one to remember / share 😀

Some Documentation about sfk can be found here…