I am working on a Windows Service which runs under the NETWORK SERVICE account. One of the features I'd like to add is the ability to enumerate missing Windows Updates on the local server. The problem I've run into is that the IUpdateSearcher.Search() method throws an "Access Denied" exception. Specifically:

Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

My code looks like this:

IUpdateSearcher updateSearcher = new UpdateSearcher();
updateSearcher.Online = true;
ISearchResult results = updateSearcher.Search("(IsInstalled = 0)");
foreach (IUpdate2 update in results.Updates) {
    //Do something
}

If I add NETWORK SERVICE to the local administrators group, this code works, however, that, of course, is not an acceptable solution. Is it possible for me to get this working without local administrative access?

Edit: I updated the code snippet above per the WUA SDK Guide by removing the unneeded UpdateSession instance. Unfortunately, the problem remains. According to the SDK guide, as long as the invoker is a member of the local Users group, IUpdateSearcher.Search() should work. NETWORK SERVICE is an implicit member of Users:

USER INFORMATION
----------------

User Name                    SID
============================ ========
nt authority\network service S-1-5-20


GROUP INFORMATION
-----------------

Group Name                                       Type             SID                                           Attributes
================================================ ================ ============================================= ==================================================
Mandatory Label\System Mandatory Level           Label            S-1-16-16384
Everyone                                         Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Certificate Service DCOM Access          Alias            S-1-5-32-574                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                    Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE                             Well-known group S-1-5-6                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                    Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                 Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                   Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token             Disabled
SeIncreaseQuotaPrivilege      Adjust memory quotas for a process        Disabled
SeSecurityPrivilege           Manage auditing and security log          Disabled
SeAuditPrivilege              Generate security audits                  Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege       Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.