Server 2008, Windows Update Service is Disabled

Server 2008, Windows Update Service is Disabled, Net Start wuauserv shows that it is disabled and unable to start, When I look in services, I can set it to automatic, start. Start the service, go to Windows update and try to download an update and it disables itself again. Have scanned for virus an spyware, all is clean, can not find anything In Group Policy that would cause this, I need some guidance here experts.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Very strange. I would look through the event logs and running processes and investigate them. If it is being stopped and disabled then that sounds like malware to me.

(of course it could be something I don't know anything about ;-) )
Snowbella KilangitCommented:
Have you checked your events to see why it is doing that, do you have enough disk space? When was the last time you ran the WSUS clean up wizard
Michael MachieIT SupervisorCommented:
Is your Windows Firewall enabled? I believe that must be running for WSUS to work properly.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Oh, that's a good question, are we talking about "Windows Update" (wuauserv) or "Update Service" (wsusservice)?
arkmatAuthor Commented:
Windows firewall was disabled, I re-enabled and same results, In Services, it is Windows Update, I believe that is the wuauserv because when I try Net Start wuauserv, it gives me the error that the service is disabled. I can go to Services and enable, start the service, While it shows service is started when I look at properties it is disabled again, Just that fast.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
OK, since this is the Windows Update service, I'm going back to my original recommendation of combing through the event logs and checking the running processes.

I would also recommend doing an online scan with a vendor you trust (Eset, Kaspersky, etc) and see if they detect any infection.
Kamal KhaleefaInformation Security SpecialistCommented:
Refer to the following article
Enable windows update by registry
If it disabled again from registry you will need to check task schedule to see if any process disable it
arkmatAuthor Commented:
Sorry I have not been back here sooner, Up to my A-- in Aligators!!  Ok, first thing is I tried to enable updates thru the registry as King 2002 suggested and I find that WindowsUpdate is not listed anywhere in the registry, I went to the places listed in the TechNet article and found nothing I also ran a search and found nothing.

 I ran Windows Malicious software removal and Trend Housecall and found nothing, I ran Kaspersky and have been deleting and disinfecting ever since. Kasperskey found Expiro virus everywhere, after several scans I am getting almost all of it. Think a couple more will do it. Malware bytes nor any of my other anti spyware caught any of this.  Now my original problem was unable to keep update service running, while I realize that the virus may have cause this, how do I correct it??
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
If possible, backup all your data, reformat, reinstall Windows, restore data.

That's the best way to clean your system.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arkmatAuthor Commented:
While a format is the best way to clean it is not an option as there is critical software installed on this server that can not be reinstalled.
I would be interest to see what value is set for the Windows Update service in the registry HKLM\System\CurrentControlSet\Services
arkmatAuthor Commented:
Hello Compdigit44, thank you for your help. There is no WindowsUpdate Service at that location but there is a wuauserv, pasted below are the values:

Windows Registry Editor Version 5.00

"DisplayName"="Windows Update"
"Description"="Enables the detection, download, and installation of updates for Windows and other programs. If this service is disabled, users of this computer will not be able to use Windows Update or its automatic updating feature, and programs will not be able to use the Windows Update Agent (WUA) API."



Thank You in advance
I see you start dword value is set to: ""Start"=dword:00000004" which means disabled..

Backup this registry key try changing it to 2 which is automatic.. then reboot
arkmatAuthor Commented:
I changed the value in registry an rebooted an received the same results, As soon as I tried to do an Windows Update the service was disabled again.
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
While a format is the best way to clean it is not an option as there is critical software installed on this server that can not be reinstalled.
I know this is a pain but since it's a critical server, it really is important to know it's clean. I highly recommend reformatting. Work with the software vendor to backup and reinstall.

Then lock down the server so it doesn't happen again. This means removing all unnecessary software and components, not using the server for anything except administering the software, installing the latest updates for Windows and the software, and (maybe the most important) making sure all administrators had admin accounts that are only used for administrative tasks and never used to browse the Internet or logon to client machine.

Those are a few of the practices that will help prevent this in the future.
arkmatAuthor Commented:
Finally bit the bullet, formatted drive, now we're off to more fun and games reinstalling things that make life Merry!    NOT!  

Thank You Guys for all the help.
arkmatAuthor Commented:
Gave it a B as it was not the best option just the only thing practical at the time.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.