wsus - Automatic Updates Service Terminated

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
User: N/A
Computer: W2000XP
Description:
The Automatic Updates service terminated with the
following error: The class is configured to run as a security id different from the caller.

This error was seen in a cloned PC environment that used newsid.exe to resolve SID duplication on cloned systems. The machine started complaining upon trying to start the AU service after that. Deleted the registry values that contain the WUS GUID's. But can't seem to start the AU service.

Comments:

I commented on this over in my LiveJournal (http://rialtus.livejournal.com/193982.html), but we had a case where a GPO was controlling the Automatic Updates and BITS services, and the resolution was to give Netwrok Service the Read right to the service. Everything worked smashingly after that.

�� After fixing the problem with the previous instructions, I soon broke again with the security template I had used when we first built the machines. Originally we were using another patch management solution so we had disabled Automatic Updates. When it was disabled, the default security settings (Pre SP2) were installed which removed Authenticated Users.�

�� In order to fix it without touching all of the computers manually, I modified the Default Computer Policy on the domain. I modified the Automatic Updates service in the policy and set the permissions on the service so that Authenticated Users had read access and of course set the service to Automatic. Once the policy was modified and updated on the SP2 machines, the service started.

We ran into this problem and were able to resolve the issue. The problem was not solely with WSUS but with WSUS and Service Pack 2 for Windows XP.
Note: if you are using Windows Firewall/Internet Connection Sharing you must perform the steps on that service as well.

Problem was identified by using Article 892199.

Cause:

The problem may occur if certain Administrative Templates from the Windows XP Security Guide were applied to the computer before Windows XP SP2 was installed. The problem occurs because of a problem in some of the security templates that were published as part of the Windows XP Security Guide.

In Windows XP SP2, remote procedure call (RPC) runs using the NT Authority\NetworkService account. The default security descriptor for services in Windows XP SP2 gives Read access to the Authenticated Users group, which includes the NT Authority\NetworkService account.

Resolution:

The service that controls the Automatic Updates service is named wuauserv. The default security descriptor (SD) gives READ access to LocalSystem (SY), PowerUsers (PU), and AuthenticatedUsers (AU), and it gives Full Control access to Administrators (BA).

To view the SD of wuauserv, type SC sdshow wuauserv at the command prompt, and then press ENTER. The default SD appears and is similar to the following:

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

Note For more information about how to interpret the strings, visit the following MSDN Web site and search for SDDL or "ACE strings": http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/ace_strings.asp
Note To open the command prompt, click Start, click Run, in the Open box, type CMD, and then click OK.
If you see any other output as illustrated in this example, you can reset the SD using the SC command with the sdset option. To restore the default SD for the wuauserv service, type the following command at the command prompt, and then press ENTER:

SC sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

For more information about the SC sdset command, see Windows Help.

Follow the same steps for the Windows Firewall/Internet Connection Sharing(ICS) service except replace wuauserv with SharedAccess.