Not sure which forum is the most appropriate now that PG has been closed but I am hoping someone will have an answer to this:

My Xp is configured to notifiy about new updates and I usually check first re any experience others made before updating.
This morning two of my pc came up with some PG (Processguard) alerts about regsvr32.exe looking for some dll.
Looking up that file, it seemed ok to allow. However, this has continued to further alerts now relating to wuaclt.exe and I am a bit concerned especially as it is not a normal update patch.

This is the latest alert from PG:
wuauclt.exe in folder x\windows\system32\ launched by windows32\svchost.exe
commandline x\windows\system32\wuauclt.exe"/runstoreascomserver local \[458]suds and various numbers

Can anybody tell me what is happening and whether this is normal?

Hi beethoven :)

Yes this is normal: Windows Update process...

Next time check what's happen with Process Explorer:
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

:)

Thanks Climenole,
I was just concerned that this update seemed to be following a very different process than the normal Tuesday updates when I get a notification that an update is available, the option to download and install at my leisure.
Seems this one started by stealth.

{QUOTE-> PG (Processguard) alerts about regsvr32.exe looking for some dll.... <-QUOTE}
I think it's looking for wups.dll and wups2.dll. ;)
{QUOTE-> this has continued to further alerts now relating to wuaclt.exe and I am a bit concerned especially as it is not a normal update patch. <-QUOTE}
I'm not concerned but I am annoyed, wuauclt.exe has changed and it looks like we could be lumbered with svchost.exe starting up Regsvr32.exe regularly from now on. That's annoying 'cos I like to have Regsvr32.exe set to permit 'once' 'cos it is potentially dangerous if exploited - that means pop-ups from now on. >:(

Fortunately SSM users can make use of the parameters option.
{QUOTE-> ...especially as it is not a normal update patch. <-QUOTE}
No it's not a normal patch; wuauclt seems to have been changed. :o

{QUOTE->

Can anybody tell me what is happening and whether this is normal? <-QUOTE}

The same for me.

ProSecurity Log:

wuauclt.exe
[EXECUTE] 2007.08.24 08:35:46
[ALLOW] C:\WINDOWS\system32\wuauclt.exe
Command Line:"C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[5d0]SUSDS797ccd7755d1c349821bfdd4d1e8bc7b
[FROM] C:\WINDOWS\System32\svchost.exe
Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs


regsvr32.exe
[EXECUTE] 2007.08.24 08:38:32
[ALLOW] C:\WINDOWS\system32\regsvr32.exe
Command Line:/s "C:\WINDOWS\system32\wuapi.dll"
[FROM] C:\WINDOWS\System32\svchost.exe
Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs


regsvr32.exe
[EXECUTE] 2007.08.24 08:38:56
[ALLOW] C:\WINDOWS\system32\regsvr32.exe
Command Line:/s "C:\WINDOWS\system32\wucltui.dll"
[FROM] C:\WINDOWS\System32\svchost.exe
Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs


wuauclt.exe
[EXECUTE CHANGED PROGRAM] 2007.08.24 08:40:06
[ALLOW] C:\WINDOWS\system32\wuauclt.exe
Command Line:"C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[5d0]SUSDS287dc77c19ee3040a021c628a516a8de
[ACCESS TO] C:\WINDOWS\System32\svchost.exe
Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs

-----------------------------------------------
After reboot,

regsvr32.exe
[EXECUTE] 2007.08.24 08:46:12
[ALLOW] C:\WINDOWS\system32\regsvr32.exe
Command Line:/s "C:\WINDOWS\system32\wups.dll"
[FROM] C:\WINDOWS\System32\svchost.exe
Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs



regsvr32.exe
[EXECUTE] 2007.08.24 08:46:12
[ALLOW] C:\WINDOWS\system32\regsvr32.exe
Command Line:/s "C:\WINDOWS\system32\wups2.dll"
[FROM] C:\WINDOWS\System32\svchost.exe
Command Line:C:\WINDOWS\System32\svchost.exe -k netsvcs