I have been investigating the windows stealth updates, and I've posted my findings here for those who are also interested in learning more about it since Microsoft has been so tight-lipped.

I was able to get a bit of information by watching machines as they run the updates. I have found XP machines that have AU turned on (notify only), and have the updated files (big surprise). I have also found some machines that did not yet have the stealth updates, whether they had AU turned on or not (I will clarify this bit of information in my ongoing research). All of these machines I'm testing this on run XP SP2 and if they have AU turned on it is on the 'Notify Only' setting.

Here are some links that have good information such as listing the files that were updated and screenshots of the event viewer files:

Here is an article that specifies that Microsoft actually said they would publish more information along with a download to update the files (and I quote in part):

Here is a link to the only response Microsoft has posted thus far to address the stealth updates:

If you installed MU on your machine, then muweb.dll is updated at this prompt:

The file wuweb.dll is updated when you go to the WU website and you are prompted to update 'Windows Update' from MS Windows Component Publisher (I think it's always the second prompt, see screenshot below).

When updated using the WU website, it does not update the rest of the WU files (except wuweb.dll which is updated earlier in the process) until you get to this screen and click on this button (see screen shot below), so through this method you actually are prompted:

The only files updated during this process are cdm.dll, wuauclt.exe, wuaucpl.cpl, wuaueng.dll, wucltui.dll/mucltui.dll, wuweb.dll/muweb.dll (and sometimes wups.dll and wups2.dll).

If you have a machine which has not been updated yet with the stealth updates, and AU is turned off, then you turn AU on, those files ( will be updated without notification to the user before the bubble pops up from the systray stating updates are available.

Right after turning on AU, I observed the svchost.exe process take up processor cycles for a minute or two, then wuauclt.exe process take up processor cycles briefly just before the bubble pops up from the systray with the yellow shield stating updates are available. It is during this time that those stealth files are installed through AU. The only files updated during this process are cdm.dll, wuauclt.exe, wuaucpl.cpl, wuaueng.dll, wucltui.dll/mucltui.dll, wuweb.dll/muweb.dll, wuapi.dll (and sometimes wups.dll and wups2.dll).

Note that wuapi.dll is only updated during AU, not during WU/MU, and only occasionally are wups.dll and wups2.dll updated during either process. I have not been able to figure out why that is.

This tells me that either svchosts.exe (most likely) or wuauclt.exe updates those files. This means that using a firewall (windows or 3rd party) is useless protection if you have created an exception in the firewall settings for windows updates to get through. It has been suggested in the Microsoft Vista newsgroups that disabling the AU service and the BITS service may mitigate future stealth updates being installed without your knowledge. However, the minute you enable them to get updates and go to the windows update site or turn on AU, any and all stealth windows update files (and who knows what else) could be installed without prompting or notification on the machine. Scary!