Process

unknown

wuauclt.exe

wuauclt.exe is the legacy Windows Update client used to trigger and control update checks from the command line. It is mostly superseded on modern Windows. Attackers abused a specific option that makes it load and run a DLL, executing code through a signed Microsoft binary.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS1
  • wuauclt.exe /UpdateDeploymentProvider {PATH_ABSOLUTE:.dll} /RunHandlerComServerExecute · Execute dll via attach/detach methods

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

wuauclt.exe (Windows Update AutoUpdate Client) historically drove update detection and installation. On Windows 10 and 11 most of its job has moved to the Update Orchestrator and usoclient.exe, so it is rarely seen doing real work. The genuine binary lives at C:\Windows\System32\wuauclt.exe. Its security relevance is a parameter that loads an external DLL through an update-deployment provider interface.

Legitimately, wuauclt is invoked by the update infrastructure, infrequently on current systems. A command line that points it at a DLL is what gives a malicious instance away.

Security notes

wuauclt.exe is a system-binary proxy (T1218). With the /UpdateDeploymentProvider <dll> /RunHandlerComServer form, wuauclt loads the named DLL and calls into it, so an attacker has the signed Windows Update client execute their DLL, bypassing application-control rules that trust Microsoft binaries. A wuauclt command line naming a DLL, especially one in a user-writable directory, is close to a confirmed abuse, because legitimate update activity does not look like that.

Since wuauclt does little on modern Windows, its appearance with an unusual command line or parent is itself worth attention.

Anomaly signals5
  • Image path other than C:\Windows\System32\wuauclt.exehigh
  • A command line referencing UpdateDeploymentProvider and a DLL pathhigh
  • A DLL loaded from a user-writable path (Temp, AppData, Downloads)high
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh
  • wuauclt spawning child processes or making outbound connectionsmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof wuauclt.exe?
Edit this page on GitHub