I haven’t run windows since 2019. However I need to boot my old drive to grab some data. I really need to make sure this system doesn’t update any windows components, but I’ll need it to have internet access for a portion of the time.

On a different system, I used to have two reg keys that I would run to disable or enable updates when I found that disabling the services only worked until the watchdog would re enable them. Those resulted in updates saying something was wrong, which is perfect by me.

Now that web searches for stuff like this are all AI-gen’d SEO BS, can anyone tell me or point me to a reliable resource for truly disabling updates on Win 10?

PS - Bonus points if Anyone can link me to the page I used a few years back that had all sorts of privacy enhancing and telemetry disabling option on the left side and would create a reg file for applying those changes on the right. It might have been a purple theme, I forget.

Edit: it may also have been a “services” command that fully disabled services from CLI where the GUI says access denied. I forget.

Edit 2: I got the updates services disabled via registry. Thanks to those who refreshed my old Windows admin memory. I dumped Windows on my personal systems years ago, and haven’t had to think about this for a while. It’s a shame when the operating system changes to this model of SaaS where they call all the shots. I want security updates, but not bleeding edge drivers, candy crush, “feature enhancements”, random unexpected reboots, etc. I miss when the update feature didn’t assume nobody in the world could handle manual updates. You know, like sudo apt-get update.

  • folekaule@lemmy.world
    link
    fedilink
    arrow-up
    18
    ·
    5 months ago

    Is moving the drive to another computer as a secondary drive an option? Or put it in a separate USB enclosure? That way you don’t need to boot it at all, unless it’s encrypted or something.

    • XeroxCool@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      5 months ago

      Would plugging a drive with an OS on it into a running computer just show a list of files like normal?

      • folekaule@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        5 months ago

        Yes, unless it is encrypted, in which case you need a way to decode that. You can even boot an OS from a USB thumb drive to recover files from a hard drive.

  • Blizzard@lemmy.zip
    link
    fedilink
    English
    arrow-up
    12
    ·
    edit-2
    5 months ago

    I tried every suggested way of disabling Windows Updates, including changing dedicated settings in Windows Update, registry, group policy, disabling services, blocking it in firewall, adding WU domains to HOST file and some other tricks I can no longer remember - Windows just ignores it all and updates itself anyway.

    The only thing that seems to have worked is to set your internet connection as metered and then set WU not to update over metered connections.

  • expectation failed@lemmy.world
    link
    fedilink
    arrow-up
    9
    ·
    edit-2
    5 months ago

    Bonus points if Anyone can link me to the page I used a few years back that had all sorts of privacy enhancing and telemetry disabling option on the left side and would create a reg file for applying those changes on the right

    Sounds like https://privacy.sexy/ might be the answer?

  • Kit
    link
    fedilink
    arrow-up
    9
    ·
    edit-2
    5 months ago

    Everyone here is dramatically overcomplicating the solution. Simply:

    1. Turn on the PC without an Internet connection
    2. From an elevated cmd, run net stop wuauserv
    3. Connect the network and copy your files

    This stops the update service and will absolutely prevent windows updates from running. BUT it reverts at the next boot, so be careful.

    If you want a more permanent solution, you can edit a regkey to trick the system into looking for a local wsus server, which will prevent it from reaching out to the web. Read this for a rundown: https://learn.microsoft.com/de-de/security-updates/windowsupdateservices/21669493

    Source: More than a decade as a sysad with a focus on endpoint patching

    • Reygle@lemmy.world
      link
      fedilink
      arrow-up
      3
      ·
      5 months ago

      Hate to be “that guy”, and maybe OP’s no updates since 2019 exempt them from this, but modern 10/11 both immediately auto-restart the Windows update service when it’s manually stopped.

      • s38b35M5@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        3
        ·
        5 months ago

        No, you’re absolutely right. That’s what happens when you have the WaaSMedic service running, which cannot be easily disabled in services.msc. I would think I had finally gone the “full-nuclear” option and broken al updates by disabling and stopping the update services (that I knew about), but they would re-enable themselves without fail.

        This comment explains where you need to disable it (if you want to go that route).

      • Kit
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        This is not my experience on Windows 10 Pro

  • NaibofTabr@infosec.pub
    link
    fedilink
    English
    arrow-up
    8
    ·
    edit-2
    5 months ago

    InControl by Steve Gibson allows you to set a specific Windows release version and prevent further feature updates, but does allow security updates:

    InControl controls Windows automatic updating/upgrading system by targeting it to a specific major version and feature update release. By default, the current release will be used. So if you “Take Control” with the major version and feature release shown in the boxes in the lower left, Windows will remain right where it is – only installing monthly security updates – until you “Release control”.

    Also:

    Like all of GRC’s ultra lightweight freeware utilities, no setup or installation is required. Just run the utility with administrative rights. InControl’s operation can be scripted from the command line, and full technical details about the Registry keys it changes is provided.

    • s38b35M5@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      5 months ago

      God bless Steve Gibson! Security Now! I used Spinrite back in 92. I’ve used his other utilities (when they were relevant), and ShieldsUP too. That man is a treasure. Thanks for the link. I know he gets it.

      On second thought, while this is great, I need to block all updates in this PC.

      • NaibofTabr@infosec.pub
        link
        fedilink
        English
        arrow-up
        2
        ·
        5 months ago

        Yeah, I started listening to the podcast a couple years ago, and based on that I’d trust Steve’s opinion on basically everything related to computers & networking - largely because I know he’d be able to explain in detail why he has that opinion.

    • FauxPseudo @lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      5 months ago

      I was thinking boot from a different media and access the file system. But the moment I saw Steve Gibson had a different way I felt like my option was stupid. That is the power of Steve Gibson.

      • NaibofTabr@infosec.pub
        link
        fedilink
        English
        arrow-up
        1
        ·
        edit-2
        5 months ago

        Steve is one of those guys that has done so much with computers that if you have a problem it’s highly likely that he’s already dealt with that problem too and has a solution or workaround, or knows where to find one.

  • Brkdncr@lemmy.world
    cake
    link
    fedilink
    arrow-up
    6
    ·
    5 months ago

    Just disable the windows update services.

    You could also use a allowlist firewall rule to restrict access to what you need.

    Also why the paranoia? What do you have against windows updates?

    • algorithmae@lemmy.sdf.org
      link
      fedilink
      arrow-up
      8
      ·
      5 months ago

      What do you have against windows updates?

      Forced windows 11 upgrades, breaking VPNs, breaking recovery partitions, intentionally targeting and breaking the win10 start menu for win11, installing unwanted software, enabling ads, adding additional telemetry, adding half baked AI nonsense that nobody asked for, restarting without a prompt and losing progress or canceling a running program… Should I keep going?

    • BearOfaTime@lemm.ee
      link
      fedilink
      arrow-up
      6
      ·
      5 months ago

      After 30 years of running windows boxes, I’ve never been hacked.

      But I’ve lost thousands of hours to update fucking my shit up.

    • Deleting documents from insider branch users a few years back, forced installation of HP SMART printer utility, constantly switching users’ default browser back to Edge, even bypassing my employer’s GPO to do so at one point in a Teams update

      Not to mention their habit of making practically everything opt-in by default. And what is up with the new Aptos “cloud” font that only works if you have an active Office 365 subscription?

      I don’t know tbh, Windows just doesn’t cut it for me anymore personally, mainly because of Microsoft. Stuck with it on my desktop though because of sim hardware.

      I still have XP on an airgapped old PC for nostalgia ☺️

  • algorithmae@lemmy.sdf.org
    link
    fedilink
    arrow-up
    5
    ·
    5 months ago

    Download and install sysinternals suite: https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

    then run:

    psexec -i -s services.msc

    and disable Windows Update, Update Orchestrator, and WaaSmedic if it’s there.

    Alternatively, do the same psexec but regedit instead of services, navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services, find those same services I listed above, change the Start value to 4 to disable. I went to the next step and neutered all the registry entries for each of those services to make sure they stayed dead.

    • Thorry84@feddit.nl
      link
      fedilink
      arrow-up
      9
      ·
      5 months ago

      Why would you need psexec to run services.msc? You can just open the services by running it directly or even from the start menu.

      • algorithmae@lemmy.sdf.org
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        To run as System and prevent permission issues from wagging its finger at you and saying “nuh uh”. Yes obviously you can open Services the normal way if it wasn’t windows update BS

    • s38b35M5@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      4
      ·
      5 months ago

      WaaSmedic must be that watchdog that kept re-enabling update services after I disabled them years ago. I just remember my OS would start a multi hour encode or compile, and I’d come back hours later to a login screen and update history telling me it rebooted when I didn’t have automatic updates enabled.

      Thx for the reply.

      • algorithmae@lemmy.sdf.org
        link
        fedilink
        arrow-up
        2
        ·
        5 months ago

        Eeyup, same exact situation here. I leave my work computer overnight reencoding video pretty frequently, and would lose so much productivity due to restarts I didn’t ask for.

        • s38b35M5@lemmy.worldOP
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 months ago

          Its all coming back to me now. Must’ve been repressed memories…

          For the record, the service names are: UsoSvc WaaSMedicSvc wuauserv

  • Contramuffin@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    5 months ago

    Windows comes with a secret option to turn off updates with group policies, so you don’t need to modify anything or use a script. It works just fine for me. No updates (unless I manually click update).

    The option for automatic updates is several layers deep in a nested menu tree, and I don’t fully recall what the path to get there is. But you should be able to find it online.

    • LinkOpensChest.wav
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      I just posted about this same thing, but I too can’t recall for sure the path. Group policy is the only thing that stuck for me.

  • RisingSwell@lemmy.dbzer0.com
    link
    fedilink
    arrow-up
    5
    ·
    5 months ago

    There are programs like net limiter that you can use to just block access entirely for windows updates, every time one pops up to use data you can just block it, i think there’s like 6 processes windows will try to use to update various things. It’s not exactly what you are looking for, but it should solve your problem anyway.

  • KillingAndKindess
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    5 months ago

    One thing that has worked for over a year on ky backup laptop at least, is to use the only setting Microsoft seems to not be able to take away without being in trouble: Windows Update Setting: Don’t download over metered connections. Then, any network you connect to go into the networks settings and set as a metered network. The only thing that has made it through from updater was a tiny security update that it was able to download cause I was a bit forgetful once, pretty easy if u ask me

  • Glide@lemmy.ca
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    5 months ago

    I just install DoNotSpy after a fresh install of Windows and have never had an issue with Windows Update ignoring me and doing whatever it wanted.

    Obviously the system has to be offline until it is installed and probably restarted, but after that you can plug in a cable and be fine, to my experience. Mind you I am still using an old, old, copy of 10 Pro as the installer, so I am uncertain how newer, fresh installs or home edition will handle it.