WSUS Administration Console Not Loading – Unexpected External Connection

Question

Hello Friends,

We are running WSUS on Windows Server 2022 Standard. It was working fine until about a week ago, but suddenly, the WSUS Administration Console crashed and is no longer loading.

I have already tried several common troubleshooting steps — such as checking IIS settings and deleting the WSUS MMC configuration files — but with no success.

Interestingly, when launching the WSUS console, a command prompt window appears and attempts to connect to an external IP address (149.28.78.189) on port 38202, which fails to connect.

This behavior seems unusual for WSUS. I’ve attached a screenshot of the error for reference. Could you please help me identify and resolve this issue?

Answer 1

Hello Amit,

Thank you for posting question on Microsoft Windows Forum.

Based on the issue description, it highly indicates that your WSUS server has been compromised or tampered with by malicious software. Since the WSUS Administration Console should never attempt to connect to an external IP like 149.28.78.189 on port 38202. As the IP 149.28.78.189 is not associated with Microsoft update infrastructure. Any attempt to connect there is suspicious.

In addition to that, the console crash is likely a symptom of malicious code interfering with the normal launch of the WSUS console (MMC). It is possible the malware has replaced a legitimate file or registry key that is called when the console is opened.

The suggestion here is to immediately shift from troubleshooting a broken application to responding to a security incident by trying below steps.

1.Isolate The Affected Server.

• Disconnect it from the network to prevent further communication with the suspicious IP.
• Do not continue using WSUS on this machine until it is secured.

2.Scan for Malware.

• Once isolated, run a full, deep scan using a reputable, up-to-date endpoint detection and response (EDR) tool or Microsoft Defender Antivirus or another enterprise-grade tool.
• Check for persistence mechanisms (scheduled tasks, startup entries, services).

3.Check The Event Logs.

• Look at Application and System logs around the time of the crash.
• Pay special attention to any entries about mmc.exe, wsus.msc, or unexpected processes spawning.

4.Contact The Security Team.

• Notify your security team or IT leadership to further investigate this incident in a timely manner.

Hope the above information is helpful!

Answer 2

Are you performing the proper WSUS maintenance including but not limited to running the Server Cleanup Wizard (SCW), declining superseded updates, running the SQL Indexing script, etc.?

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-8-wsus-server-maintenance/

9 times out of 10, console crashing is related to indexing, optimizations in IIS, and lack of maintenance.

The odd 1 time out of 10, it may be due to something that requires running

& "$env:ProgramFiles\Update Services\Tools\WsusUtil.exe" /postinstall /servicing

Answer 3

Also, confirm your firewall rules allow access

https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#211-configure-your-firewall-to-allow-your-first-wsus-server-to-connect-to-microsoft-domains-on-the-internet