Have a machine in update mode and runnign diagnostics.
In the current policy I have around 10 'Updaters'.
When I look at the Diagnostic Suggestions it states programs like 'Update.exe' and 'WindowsXP-KB956802-x86-ENU.exe' (a test patch).
Is there a way to see what called these executables as I believe it should be my third party patch deployment software which I have as an Updater?
Hi, The run diag options I find isnt as useful as a well built query. Use the prebuilt queries for attempted violations or build your own to look for the workflow ID you configured when putting your system into update mode. From the output of that query you can find all the events that happened due to the change or that were denied. The next part is a bit trickier. You then need to go to the system and use Tasklist or task manager to find the process. If you can't you may need to run processmon to find the process trying to make the changes. In Processmon you can also trace the process structure back to the parent process.