Q: How can I update "WSUS Offline Update" itself?

A: As long as release notes or installation hints don't recommend other, you may
unpack a new version's archive (.zip) over/into an existing structure, if you l
et existing files be overwritten.
Of course you may use the automatic self update functionality instead.
-------------------------------------------------------------------------------Q: Can I exclude patches from download and/or installation?
A: Yes, that's possible through customizing the download- and update scripts acc
ording to your requirements. You may add new patches or exclude existing ones. P
lease follow this guide:
1. Exclude patches from download
You have to differentiate between statically defined updates (like the latest Se
rvice Packs, for example) and updates that are determined dynamically at runtime
of the script.
a) Statically defined updates
To exclude static updates from download, please delete the corresponding URL def
initions in the matching file named "StaticDownloadLinks-<platform>[-<architectu
re>].txt" in the folder "static". Please note that the files residing here will
be overwritten on a software update.
b) Dynamically determined updates
To exclude dynamically determined updates from download, insert their knowledge
base ID (KBxxxxxx or simply xxxxxx) into the matching exclude file named "Exclud
eList-<platform>[-<architecture>].txt".
2. Excluding updates from installation
Once again you have to make a difference between statically defined and dynamica
lly determined updates.
a) Statically defined updates
The statically defined updates (latest version each) are:
- Service Pack (SP)
- Windows Update Agent (WUA)
- Microsoft Installer (MSI)
- Windows Script Host (WSH)
- Internet Explorer (IE)
These updates will be installed only if the version installed on the target syst
em is lower than the versions defined in the file "SetTargetEnvVars.cmd" (direct
ory .\client\cmd). If you generally want to prevent installation of one of those
updates, you have to modify the expected values in the "SetTargetEnvVars.cmd" o
r insert jump marks into the "DoUpdate.cmd" (which controls the installation pro
cess). You should do this in very special cases only, as with SP, WUA, MSI and W
SH, certain versions are required as preconditions.
b) Dynamically determined updates
To exclude dynamically determined updates from installation, insert their knowle
dge base ID (KBxxxxxx or simply xxxxxx) into the file "ExcludeList.txt" (directo
ry .\client\exclude). These updates will now be ignored; and you'll receive a wa
rning in the log.
The following updates are already excluded:
- kb816093 (Security update for Microsoft VM)
- kb951847 (.NET Framework 3.5 SP1 Family Update (will be explicitly installed i
f selected))
- kb890830 (Windows Malicious Software Removal Tool (MSRT))
- kb931125 (Trusted Root Certificates (will be explicitly updated if selected))
- kb2917500 (Revoked Root Certificates (will be explicitly updated if selected))
- kb926874 (Internet Explorer 7 (will be explicitly installed if selected))
- kb940767 (Internet Explorer 7 (will be explicitly installed if selected))
- kb944036 (Internet Explorer 8 (will be explicitly installed if selected))

- kb982861 (Internet Explorer 9 (will be explicitly installed if selected))

- kb2718695 (Internet Explorer 10 (will be explicitly installed if selected))
- kb2841134 (Internet Explorer 11 (will be explicitly installed if selected))
- kb976002 (Browser Choice)
- kb923618 (Office 2003 Service Pack 3 (will be implicitly installed if required
))
- kb2526086 (Office 2007 Service Pack 3 (will be implicitly installed if require
d))
- kb2687455 (Office 2010 Service Pack 2 (will be implicitly installed if require
d))
- kb2817430 (Office 2013 Service Pack 1 (will be implicitly installed if require
d))
- kb936929 (Windows XP Service Pack 3 (will be implicitly installed if required)
)
- kb914961 (Windows Server 2003 Service Pack 2 (will be implicitly installed if
required))
- kb936330 (Windows Vista Service Pack 1 (will be implicitly installed if requir
ed))
- kb948465 (Windows Vista Service Pack 2 (will be implicitly installed if requir
ed))
- kb976932 (Windows 7 Service Pack 1 (will be implicitly installed if required))
Please be aware that excluding updates may have an impact on the security of you
r PC.
-------------------------------------------------------------------------------Q: Can I download/install additional patches?
A: Yes, you can adjust how the download and update scripts behave by excluding o
r adding patches from download or installation. For adding updates proceed as fo
llows:
1. Adding updates to download routines
For adding an update to be downloaded, insert its download URL into the matching
"StaticDownloadLinks-<platform>[-architecture>]-<language>.txt file, found in t
he "...\static\custom" directory. Please don't forget a trailing <CR><LF>.
2. Adding updates to installation routines
Add an update to installation by inserting its knowledge base ID (KBxxxxxx or si
mply xxxxxx) into the matching "StaticUpdateIds-<platform>[-<architecture>].txt
file (directory "...\client\static\custom"). Please don't forget a trailing <CR>
<LF>.
-------------------------------------------------------------------------------Q: Can I skip the dynamic update determination during downloading/installation i
n order to use my static definitions only?
A: Yes.
To avoid dynamic update URL determination during download, add "skipdynamic=Enab
led" to the [Miscellaneous] section of your UpdateGenerator.ini file.
To avoid dynamic update ID determination during installation, set "skipdynamic=E
nabled" in the [Installation] section of your UpdateInstaller.ini file.
-------------------------------------------------------------------------------Q: I already have the latest Service Pack for my selected OS and don't want to h
ave it downloaded again. Can I integrate it into the WSUS Offline Updater
somehow?
A: Yes, if the following preconditions are met: First, you have to put the file
into the correct directory; for an XP-SP3 English, this would be ".\client\wxp\e
nu", for example. Additionally, the filename and the size have to match the prop
erties on Microsoft's servers, in this example "WindowsXP-KB936929-SP3-x86-ENU.e
xe" with a size of 331,805,736 bytes. As the download uses "wget" with the "-N"
option (timestamping), the local copy also must not be older than the copy on th

e Microsoft server.
-------------------------------------------------------------------------------Q: Can I integrate patches for products made by third parties?
A: No, and there are no plans to add this. Patches from third parties commonly h
ave completely different command line parameters which makes an integration prob
lematic, if not impossible. Additionally, the Offline Update is meant for making
a PC as secure as possible before going online. Updates from third parties can
then be downloaded from their respective websites. Many third party products off
er some kind of auto-update mechanism to keep themselves current, e. g. Acrobat
Reader, Firefox, Thunderbird, SUN Java Runtime, and others.
-------------------------------------------------------------------------------Q: Is it possible to automate the creation of the update media (CD/DVD images),
with a scheduled task maybe? If yes, how do I do that?
A: Create a new batch file in the ".\cmd" directory, e. g. "DownloadUpdatesAndCr
eateISOImage.cmd". Then enter the desired calls to "DownloadUpdates.cmd" and "Cr
eateISOImage.cmd" with the required options into this file. An example of such a
file would be:
@echo off
call DownloadUpdates wxp enu
call CreateISOImage wxp enu
Next, create a scheduled task for your new custom script "DownloadUpdatesAndCrea
teISOImage.cmd" and select the desired run time. For example, if you intend to c
reate new update media following each Microsoft Patchday, select "second Wednesd
ay of every month".
-------------------------------------------------------------------------------Q: Can I start update installation from a shared network resource?
A: Yes, but you should only use the "Automatic reboot and recall" feature, if th
e shared resource permits anonymous access. Otherwise the automatic recall will
fail, because the share won't be accessible for the temporary administrator acco
unt "WOUTempAdmin".
If the network share doesn't have a drive letter assigned to, the "UpdateInstall
er" script will automatically do a drive mapping, because cmd.exe does not suppo
rt UNC paths (\\<server>\<share>) as the current directory (see http://support.m
icrosoft.com/kb/156276/).
If you like to assign a drive letter yourself using the "map network drive" feat
ure or "net use" command, you'll have to do this in an administrative context/co
mmand shell (Windows Vista/7/Server 2008(R2)), because the "UpdateInstaller" scr
ipt requests administrative privileges for patch installation.
Please keep in mind that installing patches over the network is against the phil
osophy of an Offline update, and the machine may be vulnerable to attacks while
the update process is still in progress.
-------------------------------------------------------------------------------Q: A patch is installed over and over again, in spite of being installed already
on the target system. What is the reason and how can I resolve this?
A: This problem regularly occurs when doing kernel updates on OEM systems; it's
a Microsoft issue.
To solve the issue, install such updates manually and specify the "/o" (or "/ove
rwriteoem") switch (as shown on http://support.microsoft.com/kb/262841).
-------------------------------------------------------------------------------Q: When installing patches I receive a warning, that kb890830 and kb976002 have
been skipped. Why aren't they integrated?
A: Patch kb890830 is not really an update, but the Malicious Software Removal To
ol (MSRT). This tool (MRT.exe) scans the PC once after a reboot for possible mal
ware infections, but it is inferior to commercial virus software in terms of det
ection rate and updating frequency (it's only updated once a moth on most PCs).
Additionally, multiple versions are contained in WSUSSCN2.CAB (Microsoft's updat
e catalog), so it's already filtered out on download. Patch kb976002 is the Brow
ser Choice update for European market.

-------------------------------------------------------------------------------Q: On patch installation I receive warnings about further missing updates. What'
s up?
A: WSUS Offline update by default downloads only patches contained in Microsoft'
s catalog WSUSSCN2.CAB. This includes at least all critical and security-related
patches, but not every important, recommended or optional one. If you feel the
need to include them, you are free to do so manually (see above).
-------------------------------------------------------------------------------Q: Can I force installation of patches despite them being installed already on t
he target system?
A: Yes, but not with the GUI (UpdateInstaller.exe). Call the batch file "Update.
cmd" directly using the "/all" option, e. g. "Update.cmd /autoreboot /showlog /a
ll".
-------------------------------------------------------------------------------Q: On my target system, the missing updates can't be determined; on another comp
uter, missing updates will be installed again and again. Why?
A: In most cases, the Windows Update Agent (WUA) is responsible for this misbeha
vior. To resolve this problem, please follow the instructions to reset the Windo
ws Update components (http://support.microsoft.com/kb/971058).
-------------------------------------------------------------------------------Q: On installation of patches I'm getting strange errors in the command line win
dow, e. g. "C:\wsusupdate\client\cmd\DetermineSystemProperties.vbs(92, 3) (null)
: 0x80041014". Then the script terminates. What is the cause and how can I solve
this problem?
A: For trouble-free execution, the script requires the correct installation and
configuration of the following Windows services/components: "Automatic Update/Wi
ndows Update (WUA)", "Windows Script Host (WSH)" and "Windows Management Instrum
entation (WMI)". Please check first if you have restricted or even disabled thes
e services with tools like TweakUI, nLite/vLite, XP-Antispy, XPy, Tuneup Utiliti
es etc.
If that's not the case, the cause is most probably an erroneous scripting compon
ents' or WMI registration.
To (re-)register the scripting components on your computer, please follow the in
structions at http://support.microsoft.com/kb/949140.
To check your WMI installation, use Microsoft's WMI diagnostics tool (http://www
.microsoft.com/downloads/details.aspx?familyid=d7ba3cd6-18d1-4d05-b11e-4c64192ae
97d&displaylang=en). Further technical information is given on http://technet.mi
crosoft.com/en-us/library/cc787057(WS.10).aspx; the WMI FAQs you'll find on http
://technet.microsoft.com/en-us/library/ee692772.aspx.
-------------------------------------------------------------------------------Q: When installing patches I'm receiving the error: "...\ListMissingUpdateIds.vb
s(17, 1) (null): The file or directory is corrupted and unreadable." or "...\Lis
tMissingUpdateIds.vbs(17, 1) (null): The signature of the certificate cannot be
verified." How can I solve that problem?
A: This error occurs, if the file ".\client\wsus\wsusscn2.cab" is truncated/corr
upted, because it has not been downloaded completely. Of course this invalidates
its digital signature. Please rerun the download and media creation again to re
place the bad file.
-------------------------------------------------------------------------------Q: My antivirus package reports the downloaded archive to be infected by a virus
/trojan? Is that true?
A: This is with very high probability a false positive! The archive contains com
piled AutoIt3 scripts, which some antivirus programs generally detect as malware
. You can verify the clean status of the scripts (*.au3) by compiling them yours
elf using the AutoIt3 compiler (http://www.autoitscript.com/autoit3/). Alternati
vely, upload the downloaded archive to a site like VirusTotal (http://virustotal
.com) or Jotti (http://virusscan.jotti.org) and let it be scanned by a multitude
of antivirus engines. Additionally, many antivirus suites have the possibility
to send the presumed false positives to the author, either manually over a web f
orm/email or automatically within the program. This will improve detection abili

ties of these products.

-------------------------------------------------------------------------------Q: While downloading patches I'm receiving messages like "ERROR 404: Not Found."
. Does the Offline Updater use invalid URLS?
A: No, but Microsoft does. The URLs will be determined at runtime from Microsoft
's catalog package.xml, contained in the file wsusscn2.cab. For unknown reasons,
Microsoft has these invalid URLs in the file.
-------------------------------------------------------------------------------Q: I have selected creating an Office update medium in my specific language, e.
g. Russian. But there are patches in English language downloaded, too. Why is th
is?
A: Some patches in Microsoft's catalog wsusscn2.cab (package.xml) are language d
ependent, but others do only exist in English. The latter are patches for langua
ge-independent parts of Office and can be installed on non-English Office instal
lation without any problems.
For that reason, there has been created an additional subdirectory named "glb" (
global), besides the existing ones like "deu", "enu", "rus" etc. In the glb dire
ctory the dynamically determined patches are stored which only exist in English,
no matter what language has been selected. In the case of Office 2003, the Serv
ice Packs for Project, Visio etc. which are in English will be filtered out when
creating an update medium. This will save space.
-------------------------------------------------------------------------------Q: I'm about to burn a 500MB ISO image using Nero, but receiving a message telli
ng me the ISO being too big in size. Is the ISO corrupt?
A: No, certainly not. Nero, in some versions, seems to have problems in determin
ing the CD/DVD size required. Please update Nero or use another CD/DVD/BluRay re
cording software like ImgBurn (http://imgburn.com).
-------------------------------------------------------------------------------Q: My ISO image is too big to fit on a CD. How can I record it using a DVD?
A: There's no difference how recording software treats the CD or DVD ISO and med
ia. That means, as long as your recording software supports the ISO format and D
VDs, you can burn every ISO image on DVD, too. Note that in some cases when the
ISO is smaller than 1GiB, the recording software will add padding data to the en
d to write at least 1 GiB. This is for compatibility reasons and will have no in
fluence on the CD/DVD contents.
-------------------------------------------------------------------------------Q: When creating an ISO, I receive the warning: "ISO-9660 filenames longer than
31 may cause buffer overflows in the OS." Should I be alarmed?
A: No. This is a generic warning which is displayed on every run for creating WS
US Offline Update ISOs. It is only a note that breaking the restrictions of the
original ISO9660 filesystem (only short filenames like FILENAME.EXT) may haved u
ndesired effects on older operating systems like MS-DOS, especially with filenam
es of 32 chars or longer. All platforms relevant for the Offline Updater handle
this without problems, so no need to worry.
-------------------------------------------------------------------------------Q: Is it possible to integrate the downloaded patches from Offline Update into a
n OS installation disc via slipstreaming?
A: Not all patches support slipstreaming. Besides, as new patches are released e
very month (and sometimes even more frequently), you would have to create a new
disc every time. Therefore we recommend to slipstream only the latest Service Pa
ck and install the rest of the patches after OS installation, using the Offline
Updater.
-------------------------------------------------------------------------------Q: I used the "automatic reboot and recall" option, but the WSUS Offline Updater
doesn't resume its work like intended. What can I do?
A: It seems you have stored the Offline Updater files in a restricted area of yo
ur filesystem, where the temporary account "WOUTempAdmin" has no access to, desp
ite having administrative rights. This could be a user specific directory like "
(My )Documents" or "Desktop", or an NTFS encrypted one. Please use another base
directory for installation of patches.

-------------------------------------------------------------------------------Q: I have selected "Show log file", but after finishing the installation and reb
ooting, the log is not shown. What's the reason?
A: Maybe the user account you're logging in with after the final reboot has no p
ermission to access the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo
ws\CurrentVersion\RunOnce or the log file (%SystemRoot%\wsusofflineupdate.log).
Please log in once with a sufficiently privileged account after finishing instal
lation and reboot.
-------------------------------------------------------------------------------Q: I enabled the "automatic reboot and recall" option, and now my PC automatical
ly logs into the "WOUTempAdmin" account. How can I prevent that and revert to my
previous account settings?
A: That issue rarely happens. Please help improve the software by submitting a d
etailed error report, including the preconditions and how to reproduce the error
, to the development team.
To "clean up" your OS do the following:
- Cancel running update scripts using <Ctrl>+C;
- Execute the "CleanupRecall.cmd" script in the "cmd" directory, then reboot.
If it still won't work, follow this guide:
- Log off the "WSUSAdmin" account. While doing this, hold the <Shift> key to pre
vent automatic login and show the Logon screen instead.
- Log on the "Administrator" account (or an account with administrative rights).
- Check for the existence of a file named "%SystemRoot%\wsusbak-winlogon.reg".
- If the file exists, start the registry editor ([Start - Run...] regedit) and d
elete the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\W
inlogon". Then merge the backed up values back into the registry by double-click
ing the "%SystemRoot%\wsusbak-winlogon.reg" file and confirming the prompt. Then
you can delete that file.
- If the file doesn't exist, start the registry editor ([Start - Run...] regedit
) and modify some values of the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo
ws NT\CurrentVersion\Winlogon" as follows:
- DefaultUserName: Administrator (or another user account of your choice)
- DefaultPassword: Delete value
- AutoAdminLogon: Delete value
- ForceAutoLogon: Delete value
- Delete the "WOUTempAdmin" account using the "User accounts" Control Panel item
.
- Delete the user profile files if they still exist (XP: C:\Documents and Settin
gs, Vista/7: C:\Users).
- Reboot.
-------------------------------------------------------------------------------Q: During download, I receive a file integrity verification failure. What can I
do to resolve this?
A: If you're sure that the patch files in your repository weren't manipulated, y
ou may delete the corresponding checksum files under ...\client\md. They'll then
be recreated during the next download run.
-------------------------------------------------------------------------------Q: Why are check boxes grayed out when I start UpdateInstaller.exe?
A: The check boxes' availability is dependent on platform, update medium and pac
kage installation state.
-------------------------------------------------------------------------------Q: During download or installation, I receive an error indicating an invalid pac
kage.xml file. What can I do?
A: Your copy of Microsoft's update catalog file (...\client\wsus\wsusscn2.cab) s
eems to be corrupt. Please delete it and re-run the download process.
-------------------------------------------------------------------------------Q: Can I let the download window(s) stay in the background?
A: Yes. Please edit the UpdateGenerator.ini file and add an entry/line "minimize
ondownload=Enabled" to the "[Miscellaneous]" section.

-------------------------------------------------------------------------------Q: After installation of patches using the WSUS Offline Update finished, an empt
y box without contents appears on every reboot. Only when I click "OK", the boot
process continues.
A: It's uncertain at this time what causes this behavior. Please login as "Admin
istrator" and check if the Windows registry key "HKLM\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run" contains a value named "WSUSOfflineUpdate", or if the key "
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce" contains values named "D
eleteWOUTempAdminProfile" or "ShowOfflineUpdateLogFile". If they exist, delete t
hem.
Should these entries do not exist in the registry, this behavior was not caused
by the Offline Updater. The WSUS Offline Updater team welcomes further hints con
cerning this problem.
-------------------------------------------------------------------------------Q: I miss IEx, .NET, MSSE and WLE installation files for my language. Why aren't
they downloaded and what can I do to have them downloaded?
A: Since Service Packs and updates for Windows Vista / 7 / Server 2008(R2) are m
ultilingual, there's no 24-language selection table for these platforms, so by d
efault, only the English and German versions of those localized installation pac
kages for IEx, .NET, MSSE and WLE will be downloaded.
To have your favorite locale(s) downloaded in addition, you may use the ...\cmd\
AddCustomLanguageSupport.cmd script.
-------------------------------------------------------------------------------Q: The determination of "superseded updates" takes more than 15 minutes. How can
I speed it up?
A: Some Anti-Virus-Scanners (especially "Microsoft Security Essentials" (MSSE))
retard the required calculations. You may temporarily disable your AV scanner or
define an appropriate exception.
-------------------------------------------------------------------------------Q: I miss the x64 versions of Office 2010 Service Pack 2 and Office 2013 Service
Pack 1. How can I have them downloaded?
A: Please call ...\cmd\AddOffice2010x64Support.cmd {lng} once to add their URLs
to your custom static download definitions (see directory ...\static\custom).
-------------------------------------------------------------------------------Q: I don't need the German installation files for IEx, .NET, MSSE and WLE. How c
an I disable their downloads?
A: Please call ...\cmd\RemoveGermanLanguageSupport.cmd once to remove their URLs
from the static download definitions.
--------------------------------------------------------------------------------