Back in the days of Windows 7 and earlier, the Windows Update Standalone Installer (WUSA.exe) included an “extract” option that allowed you to unpack a Windows update file without having to install it.
This was useful for IT pros who wanted to review the contents of an update offline before deploying it. However, in Windows 10, Microsoft removed the extract capability from WUSA.
This change has caused some confusion and annoyance among system administrators who were used to leveraging the extract feature.
In this post, I’ll take a look at why Microsoft made this change and what alternatives exist today for reviewing Windows updates without installing them.
Understanding the Role of WUSA.exe
First, let’s quickly review what WUSA.exe is and does. WUSA is a command-line tool that can install Windows update packages (MSUs) and cab files. MSU files contain operating system updates released through Windows Update.
Back in earlier Windows versions, WUSA had three main functions:
- Install: Install an update package
- Extract: Unpack the files contained within an update package without installing
- Log: Log details of the installation process
The extract capability was helpful for downloading and unpacking Windows updates for offline review before approval and deployment in enterprise environments.
However, beginning with Windows 10, Microsoft removed the extract function from WUSA. Only the install and log functions remain.
Why Microsoft Removed the Extract Capability
According to Microsoft, there were a couple reasons for removing extract from WUSA in Windows 10:
- Security concerns: Allowing arbitrary file extraction could be abused by malware authors to unpack files to unwanted locations.
- Limited usage: Microsoft determined the extract function was rarely used in practice.
The reason Microsoft has removed this option is because of a security issue with the extract option. The reason I found out that this was removed was because I was trying to bypass UAC on Windows 10.
Let me try to explain a little better. When you start CMD.exe as an administrator you will have to answer Yes to User Account Control in order for the process to start with HIGH integrity level.
Using Process Explorer, you can see what sort of integrity level the process has. For this blogpost, I have started an instance of CMD as administrator and one without.
As you can see, I have one with HIGH and one with MEDIUM. Now for the fun part. If you start WUSA.exe it will not trigger User Account Control, but run in HIGH integrity mode. Some Windows internal exe files are set to auto-elevate by design. You will actually see it on the icon if you look at it. It has the Windows UAC shield on it:
WUSA is one example, and SYSPREP.exe is another. So how is /extract a security issue? I will try to illustrate an example. This example will work on Windows 7/8/8.1.
First, I will have to create a CAB file containing an «evil» file. I will use makecab for that purpose.
I have placed an evil.dll file inside my UAC-Example folder, and I use the command: «makecab c:\uac-example\evil.dll c:\uac-example\evil.cab» to make -a cabinet file of the dll.
Next, I will run «WUSA.exe c:\uac-example\evil.cab /extract:c:\windows\system32». This command will extract the dll file from the cabinet file and place it in system32 without triggering «User Account Control».
So, there you have it, the reason why the extract option is gone in Windows 10.
Alternatives for Reviewing Windows Updates
Now the question is, how do you review the contents of a Windows update package on Windows 10 without the extract option? Here are a few methods:
Use PowerShell to Expand the MSU File
You can use the Expand-WindowsUpdate PowerShell command to unpack an MSU file:
Expand-WindowsUpdate -WindowsUpdatePath C:\path\to\update.msu -DestinationPath C:\outputThis will extract the updated contents to the specified output folder. You can then review the dlls, executables, and other files included in the update.
Review the Update Contents on the Microsoft Update Catalog
The Microsoft Update Catalog publishes the contents of Windows updates online. You can download the update .msu file and review the list of files, registry keys, and other details changed by the update.
While not as complete as extracting the update locally, the catalog provides helpful high-level information.
Use Third-Party Tools Like 7-Zip
Since MSU files are essentially CAB archives, you can use a tool like 7-Zip to extract the contents. The steps would be:
- Download the .msu file from the Microsoft Update Catalog
- Rename the .msu to .cab
- Use 7-Zip to extract the .cab archive
Again, this will allow you to browse the update contents offline before approval.
Review Released Update Notes
For each Windows update, Microsoft publishes release notes on the support site detailing what’s included, from new features to security patches and bug fixes.
Reviewing these release notes will provide insight into what changes an update makes. So, while you can’t extract the files directly, you can still access a list of what the update does.
Test Updates in a Staging Environment
The most thorough way to evaluate an update is to test it in a controlled staging environment that mirrors your production systems. This allows you to monitor the impact of installing the update before rolling it out more broadly.
Tools like Windows Server Update Services make it easy to import and target updates to specific test machines.
The Bottom Line
While the removal of the extract function in WUSA does make reviewing standalone Windows updates more challenging, several viable alternatives exist.
Combining options like PowerShell extraction, the Microsoft Update Catalog, release note reviews, and staging deployments enables IT teams to stay informed on updates even without WUSA extract.
The key is having a repeatable update review process that leverages the right tools for your environment. For some, that may mean continued use of WUSA for basic Windows 7/8.x deployments alongside new methods for Windows 10 and Server 2016/2019.
As with many changes, adapting processes to account for the removal of WUSA extract just takes a bit of planning. But with the right approach, you can achieve the same level of insight into Windows updates that extract previously offered.
Other Topics:
