Question
HOW Force WSUS server to download patches once again
Ransomware encrypted WSUS content on one of the server. Yes… that’s true :) I helped to fix that problem in one of environment. It was typical ransomware which using SMB open shares and encrypt everything what is possible for credentials on machine where attack is performing from. WSUS content was one of the share affected in network. Fortunately only those data were lost. Generally is not a problem. Old content is needed to delete and new one to download. But there was question how force WSUS server to download patches once again after deletion? Let’s see full path of solving this problem.
Answer
Task is not so complicated. To delete old encrypted content and then download new one following actions are needed to perform:
- Find and stop WSUS service by typing in Powershell:
Get-Service wsus*
- You will ses all matched services. Correct one is WsusService. To stop them type:
Stop-Service WsusService
- Go to WSUS content folder and delete all encrypted stuff,
- Start WSUS service in Powershell:
Start-Service WsusService
- Use WsusUtil to force WSUS server to download patches once again. Type
wsusutil reset
Tip
Wsusutil.exe tool is available in path: Program Files\Update Services\Tools. So first go there and then use wsusutil reset comand.
After few minutes go to WSUS content folder and check if any new folder is visible. New tree of content should be already build. Time needed to download all content depends of amount of patches and network bandwidth available. It’s good to plan that action at night or weekend.
Additional information
WsusUtil tool has a lot of possibilities to use. On of them are already posted at my blog migration WSUS content to another disk. To see all of switches go to Microsoft documentation and read great article: Manage WSUS 3.0 SP2 from the Command Line. Here also you can find full description of reset switch used in our cases:
You use this command if you store updates locally on your WSUS server, and you want to ensure that the metadata information stored in your WSUS database is accurate.
– With this command, you verify that every update metadata row in the WSUS database corresponds to update files that are stored in the local update file storage location on your WSUS server. If update files are missing or have been corrupted, WSUS downloads the update files again. This command might be useful to run after you restore your database, or as a first step when troubleshooting update approvals.
– Syntax: wsusutil reset
Good luck with your case :)
