A silent patch Microsoft pushed out last month prevents Windows XP users who repair their PCs from securing their machines with new patches, Microsoft has confirmed.

"When an XP repair CD is used, it replaces all system files (including Windows Update) on your machine with older versions of those files and restores the registry," said Nate Clinton, program manager for Windows Update on a Microsoft blog. "However, the latest version of Windows Update includes 'wups2.dll' that was not originally present in Windows XP. Therefore, after the repair install of the OS, wups2.dll remains on the system, but its registry entries are missing. This mismatch causes updates to fail installation."

The Windows Secrets newsletter reported the patch installation failures after tests on Windows XP machines that had been restored by an in-place reinstall. The root of the problem, said the publication, is that seven DLLs from the latest revision to WU - not just one - failed to register themselves with XP. Microsoft could not provide an explanation for the discrepancy between the claims.

The file cited by Clinton, wups2.dll, is one of the seven fingered by Windows Secrets and part of the so-called stealth update that Microsoft sent to most non-corporate Windows XP and Vista users beginning in July and running through this month. The update was delivered and installed without prior notification, even when the PC's owner had told the operating system not to download or install updates without notification and permission.

Testing shows that the silent update - tagged as 7.0.600.381 - blocks 80 patches and hot fixes from installing on a just-repaired system restored with a retail version of Windows XP SP2. After executing a batch file recommended by Windows Secrets, the batch file registered each of the seven suspect DLLs. The updates could be installed, however.

Clinton said the problem would be fixed by registering only the wups2.dll file. He also listed the steps users should take, and promised that a document providing more detail would be posted to Microsoft's support database. As of mid-day Friday, the document, designated KB943144, had not appeared on Microsoft's support site.

Although Scott Dunn of Windows Secrets said the post-repair update bug is proof of the danger that stealth updates pose, Andrew Storms, director of security operations at nCircle Network Security, said that the practice also hits Microsoft in the wallet.

"Imagine the amount of work for Microsoft's support teams on this," he said. "It would have probably taken a couple of hours on the phone to help a customer," he added, because even the support representative would not have had any idea that the WU update was the cause. "This isn't just a PR problem for Microsoft, but also a support problem.

"Silent updates are not going to help with Microsoft or end users," Storms said.

Companies may rely on re-imaging a damaged PC rather than restore it with an in-place reinstall, he said, but plenty of small and mid-size companies depend on the repair option. They, too, would be stymied by the inability to patch repaired PCs, since the same WU client software is used by Windows Server Update Services (WSUS), the update mechanism most businesses use to deliver update to their end-user machines.

"Everyone gets the same updates [to WU]," said Storms, "so the same problem will persist for both WSUS and people getting updates direct from Microsoft."