XP x64 post-mortem updates

 

XP x64 banner
Unofficial Updates for Microsoft® Windows® XP Professional x64 Edition SP2
Based on Windows® Server 2003 R2 x64, up until 2015-07-14

Designed for Windows XP Professional x64 EditionAfter I managed to [hack up] some update for Windows Server 2003 to run on Windows XP Pro x64 Edition, I have decided to dedicate a page to all updates released for Server 2003 but compatible with XP x64 after the official end of life of all Windows XP operating systems.

This work is based on the original findings of users from the RyanVM forums, and most importantly on the work of the user [5eraph]. None of his updates have been re-hosted here however, as I have chosen to do all the modification work myself, where necessary.

Edit: As of 2015 it has become quite clear, that almost no updates need any modifications actually, and so far, KB2926765 remains the only update ever having needed the hack. All others are hosted as-is.

Updates which do require the hack to run smoothly on Windows XP x64 will come in the form of a WinRAR based self-extracting installer somewhat similar to what Microsoft is shipping. Those installers will have a little Windows flag as their icons and will ask the user to accept the Windows XP Professional x64 Edition EULA. They will also show information about the update to be installed including a proper link to the corresponding Microsoft TechNet article.

All updates will be flagged to indicate whether they were hacked to work on XP x64 or whether they’re unmodified:

  • Green gear  Unmodified stock update from Microsoft.
  • Modded  Update which required hacking of update.exe to work on XP x64.

The updates will be grouped by month and sorted newest to oldest top down, including the Windows Update Agent 3.0 that needs to be installed on fresh Windows XP x64 setups for Windows Update to work at all (fixing the “permanent refresh” bug in Internet Explorer when trying to use http://update.microsoft.com/). The TechNet [severity rating] showing the security impact of each update on Windows Server 2003 x64 will be indicated right before each download link, as follows:

  • Severity rating: Low  Low
  • Severity rating: Moderate  Moderate
  • Severity rating: Important  Important
  • Severity rating: Critical  Critical
  • Question Mark  May be relevant for security, but no rating available

Please note, that this is supplemental to, but does not replace regular Windows Update entirely. These updates are for the Windows core system. You should still run Windows Update to receive updates for additional components like Microsoft Office or Visual Studio, which still keep being supported on XP x64. Those programs will have their own life cycles. Use both Windows Updates and the updates here to keep your entire XP x64 system on the latest patch levels!

And by the way, the hack requires some “PreRequisite” strings in the binary update.exe to be replaced. In my case, I have chosen to replace the strings with the following sequence of bytes: “SweetFreedom”, starting at offset 0x00016A90.

Now, please enjoy:

2017-05:

Here we have one more critical update for SMB/CIFS v1.0 services, that Microsoft chose to release for XP, XP x64 and Server 2003 despite support having ended. This was likely due to the panic caused by the “WannaCry” trojan infecting many unpatched systems.

2015-07:

*** Warning *** This will be the last round of updates for Windows XP Professional x64 Edition SP2. Windows Server 2003 extended support has officially ended on Tuesday, 2015-07-14, so there will be no more unofficial updates, unless Microsoft does release some out-of-band surprise fixes after the EOL of Server 2003, which is unlikely. Using XP x64 (or Server 2003 for that matter) after that date can happen at your own risk only, and you will have to accept the fact, that there may be security implications of varying severity in the nearer future. There will most definitely be a lot in the long run.

If you choose to continue using XP x64 as a networked operating system, the responsibility to secure and (externally) monitor and protect such machines for and against intrusions lies solely with you. Please be very careful!

Now, as for that last round, here they come:

  • *[1]: You do not need this if you don’t have VBScript, or if you have version 5.8 installed. You can verify this by inspecting %WINDIR%\system32\vbscript.dll or %WINDIR%\SysWOW64\vbscript.dll. Right click the file, click Properties, then switch to the Version tab. If it reads something like 5.8.6001.23661, you have version 5.8. If the first two digits are 5.6 or 5.7, choose the corresponding update for your version of the VBScript engine. If the files aren’t there, no update is required obviously.

2015-06:

 2015-05:

  • *[1]: You do not need this if you don’t have VBScript, or if you have version 5.8 installed. You can verify this by inspecting %WINDIR%\system32\vbscript.dll or %WINDIR%\SysWOW64\vbscript.dll. Right click the file, click Properties, then switch to the Version tab. If it reads something like 5.8.6001.23661, you have version 5.8. If the first two digits are 5.6 or 5.7, choose the corresponding update for your version of the VBScript engine. If the files aren’t there, no update is required obviously.
  • *[2]: This vulnerability exists in Server 2003 x64 SP2, and thus also in Windows XP Professional x64 Edition SP2. Microsoft will not issue a fix for it however. This is what they had to say about it:

“Although Windows Server 2003 is an affected product, Microsoft is not issuing an update for it because the comprehensive architectural changes required would jeopardize system stability and cause application compatibility problems. Microsoft recommends that security-conscious customers upgrade to a later operating system in order to keep pace with the changing security threat landscape and benefit from the more robust protections that later operating systems provide.”

-Microsoft Corporation

  • *[3]: Testing has shown, that these updates will fail almost all of the time when modern versions of Avast Anti-Virus are running during the entire or even just during a part of the installation process. It is recommended to disable the Avast shields to be able to install these updates, and re-enable them afterwards, if you have this AV software running on your machine. This may also be the case for past and future updates.

2015-04:

  • *[1]: Please note that this update will not provide any visual feedback to the user when run. Refer to the corresponding TechNet article to learn how to ensure that the update worked correctly, and that the affected certificates have been revoked as intended.

2015-03:

  • *[1]: You do not need this if you don’t have VBScript, or if you have version 5.8 installed. You can verify this by inspecting %WINDIR%\system32\vbscript.dll or %WINDIR%\SysWOW64\vbscript.dll. Right click the file, click Properties, then switch to the Version tab. If it reads something like 5.8.6001.23661, you have version 5.8. If the first two digits are 5.6 or 5.7, choose the corresponding update for your version of the VBScript engine. If the files aren’t there, no update is required obviously. Thanks go to [Sjaak Trekhaak] for pointing this out in the comments, as I had missed this specific update due to an unaffected VBS 5.8 being present on the test systems.
  • *[2]: These two updates have been pulled by Microsoft due to minor bugs. KB3002657 has been known to block SMB access to EMC² Isilon cluster systems and KB3033395 was sometimes erratically installed multiple times from Windows Update. While the latter should not be an issue on XP x64 systems, I will still provide the new versions of both updates. If you do not have them installed yet, just pick the v2 versions instead of the old ones. If you have, you can install the v2 versions over the existing ones without any issues according to Microsoft.
  • Please also note this months fix for the Windows Update error 0x80248015 encountered when Windows Update is being run within Internet Explorer. This has popped up lately due to an upgrade of muweb.dll from version 7.6.7600.256 to 7.6.7600.257. The fix is basically just a downgrade of said DLL, which makes convenient web-based Windows Updates work again. You can find this update on the bottom of this list, amongst “Other Updates”. This is not an official Microsoft fix, and shall not be treated as such. Installation at your own risk.

2015-02:

  • *[1]: This update will likely cause cosmetic font rendering issues / distortions, that can be seen with fonts like e.g. Times New Roman or Arial. Microsoft has stated that they’re looking into the problem. Deinstallation of KB3013455 is currently not recommended due to the updates’ security-related relevance. Edit: This update has been pulled by Microsoft as of 2015-03-10. Please do no longer install it. If you have already done so, please enter the folder %WINDIR%\$NtUninstallKB3013455$\spuninst\ and run spuninst.exe from there to remove it from your system. After the next reboot, font rendering should return to normal.

2015-01:

2014-12:

2014-11:

2014-10:

2014-09:

  • *[1]: This is an older, optional update from December 2013, but has only now been rolled out on Windows Update for installation by default.
  • *[2]: While you may already have KB2894842 installed on your system, this is an updated version. Microsoft recommends installing the newer KB2894842 v2 even if you already have the older version, as some libraries have been updated recently. You can install this over the existing version without any troubles.

2014-08:

  • *[1]: This update has been pulled back by Microsoft from Windows Update for causing severe problems on certain system configurations. Microsoft recommends uninstalling KB2982791 immediately, if you have already installed it!
  • *[2]: This is the fixed update replacing KB2982791. If you still have KB2982791 installed on your system, you’ll need to uninstall it before installing KB2993651 as per Microsoft recommendations! To do so, enter the path %WINDIR%\$NtUninstallKB2982791$\spuninst\ and run spuninst.exe from there.

2014-07:

  • Green gear Severity rating: Critical [KB2982792] (KB: 2982792. A SSL certificate spoofing fix.)
    • (Note that XP x64′ MS Windows Update will suggest the installation of an older SSL certificate update ‘KB2917500’ if you choose to install this. You should then ignore that Windows Update for security reasons or right-out blacklist it.)
  • Green gear Severity rating: Low [KB2977218] (KB: 2977218. A Silverlight tab-switched controls memory leak fix.)
  • Green gear Severity rating: Important [KB2961072] (TechNet: MS14-040, KB: 2961072. An update for the Ancillary Function Driver.)
  • Green gear Severity rating: Moderate [KB2962872] (TechNet: MS14-037, KB: 2962872. An update for Internet Explorer 6, 7 & 8. IE6 version.)
  • Green gear Severity rating: Moderate [KB2962872] (TechNet: MS14-037, KB: 2962872. An update for Internet Explorer 6, 7 & 8. IE7 version.)
  • Green gear Severity rating: Moderate [KB2962872] (TechNet: MS14-037, KB: 2962872. An update for Internet Explorer 6, 7 & 8. IE8 version.)
  • Green gear Severity rating: Critical [KB890830] (KB: 890830. Microsoft Windows Malicious Software Removal Tool v5.14, July/2014.)

2014-06:

2014-05:

Other updates that might be of interest:

2015-03:

  • Green gear Severity rating: Low [muweb.dll v7.6.7600.256] (This is a downgrade of muweb.dll from v7.6.7600.257 that re-enables browser-based Windows Update and fixes the error 0x80248015 encountered when Windows Update is run via Internet Explorer. Overwrite the files in %WINDIR%\system32\ and %WINDIR%\SysWOW64\ as found in the archive to make browser-based Windows Update work again. Thanks for this fix fly out to [Andrew Karmadanov] and [Sanjay Sheth] for publishing and ultimately to [b3270791] for the initial discovery! This is not an official Microsoft patch. Installation at your own risk!)

2011-08:

2010-09:

2008-07:

  • Green gear Severity rating: Low [KB953955] (KB: 953955. Win32_processor class fix of the CPU name property. CPU detection-related.)

2007-06:

  • Green gear Severity rating: Low [KB932370] (KB: 932370. Win32_processor class fix of the properties NumberOfLogicalProcessors and NumberOfCores. CPU detection-related.)

CC BY-NC-SA 4.0 XP x64 post-mortem updates by The GAT at XIN.at is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

  116 Responses to “XP x64 post-mortem updates”

  1. Microsoft released an important security update for Windows XP, XP x64 and Server 2003 beyond their support lifetime. KB4012598 resolves a serious SMB issue which is currently widely exploited by the WannaCry ransomware. The update does not seem to be on automstic updates (yet) for non-supported systems, so you will need to download it from MS and install it manually.

    http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

    usertile12

    • Hello Hyper,

      Thank you very much for reporting! I’ve actually installed the hotfix myself yesterday, but was too lazy to publish it here. :( Pretty interesting that Microsoft chose to deliver that patch for XP and even XP x64 / Server 2003 officially.

      Heh, and I do have a XP machine with POSReady2009 at work, but it doesn’t auto-update + reboot, so it’s going to be one interesting Monday morning. I wonder whether it’s already encrypted or not. ;)

      PS.: What’s with the leaf?

      • About the leaf: I expected this would be my avatar / user icon behind my name. Appearantly it is not. You may remove it if you like so. By the way: it it possible to set an avatar image somehow here?

        • Technically it is possible of course, but entirely unfeasible here. Let me elaborate:

          To give users their own avatars, I’d need to let them create an account and log in here. However, since I’m running this modern blog on an ancient quad Pentium Pro 200MHz server (with FPM-DRAM, SCSI disks etc.), this would be far too slow. As a logged-in admin, some pages take 30-60 seconds to load, sometimes significantly longer even. You might have noticed, that posting comments here is super-slow? That’s because it has to call actual backend code instead of cached, static pages.

          What I’m typically serving to anonymous users is server-side statically cached HTML. As the scripts create HTML to send to the user who is the first to visit a certain page in a certain state, that HTML is stored server-side. As long as nothing changes on that site, the next user gets that static HTML instead of re-running actual code, which makes things bearable, speed-wise.

          If I would let users log in, the static cache won’t work anymore, and every page would need to be regenerated dynamically, at each click. That would murder my ancient server (and yes, bytecode caching helps, but it’s not nearly enough).

          So, I can’t let other people register user accounts and log in here, because it would basically DoS my server. And thus, no avatars.

          I have to admit, I made a bad choice in terms of blogging software. I should have used something simpler and faster, but now it’s nearly impossible to migrate. And I love my server, been going strong since 1995, and since 2006 in my possession. More info [here].

          It’s actually quite interesting what people call “light weight” software these days. They have NO idea. It’s only when you run code on truly ancient hardware that you can see which programs are truly light-weight and fast, and which aren’t.

          My apologies for the inconvenience, and sorry for this wall of text! :(

    • Awesome! To see a new XPx64 update in 2017! :D I’m glad I found this community thank you thrawn. I Have allot of useful workarounds for common software and would love to discuss them and possible solutions and or collaborations on projects that I’ve been working on and been following as well. Cheers! :)

      • Hey Jojo,

        Anytime! I can drop you an eMail to the address you’ve specified if you want, since the comment threads here aren’t just slow, but also pretty useless for more lengthy discussions (due to the nesting).

        Let me know if that’s ok with you. If you have anything useful that I don’t know about yet, I’d definitely be interested!

  2. Hey,thanks for this. I still use xp64 on an haswell i3, with 8 gigs of ram. Its just simple,works beautifully,no compositing,nomodern apps,or such.
    Hint for some > windows vista 64 MSE 4.4.304 from filehippo,for ex,works perfect on XP64,updates,and detects .

    • Hello liquidLD,

      Thanks for the hint with MSE! That’s actually pretty neat, I might consider using it as well. Currently, I’m working with zero “snake oil” aka AV protection, because it’s not that necessary in my case. But browsing potentially dangerous web sites in a Linux or BSD UNIX virtual machine does get kind of cumbersome with time. ;) I’ve considered ESET NOD32 as well, but this might be a good alternative…

      Edit: I just tested the x64 version 4.4.304 you mentioned, and it works indeed! It downloaded the latest definitions from today (2017-02-22) just fine, and detected a test file containing an EICAR string that I threw at it! Excellent, thanks again for letting me know! :) Here’s the SHA-512 checksum of the mseinstall.exe file I got:

      0532badd6a0aac27f951248888152bb5438f7f949741a67976f02127408e087c0371eafc007057dcdf4a546d438657e19b5fc7e98bf46c5fc5ae59361d573d4b *mseinstall.exe

      And my EICAR string for the rudimentary functionality test file (just creating a .txt file, pasting the string and saving the file should trigger the malware detection):

      X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

      @Haswell: Can you get all the drivers, especially for the chipset? I’m asking because I really need the AHCI driver for my Intel SSDs, to perform the ATA TRIM operation via the Intel SSD Toolbox.

      • Hi again. Yeah, I have most of the drivers on an Asus CD (that is chipset drivers for H81M-K, MEI,Audio,Lan,and Video-the Haswell GT2 for embedded video driver-works perfect on my desktop) .
        That being said, I still use IDE in Bios for XP64, since I couldnt really find the AHCI driver for Intel H81 for Xp ..
        If you need the chipset driver, I could upload it on my G Drive. Tc

  3. Hello, I am from Slovakia. I have a computer layman, a self-taught. From the year 2003 until now I have gained some experience from the installation of Windows 98 – Windows 10 Somewhere I read that Win XP Pro 64bit edition has better performance than Win Vista. Despite the end of extended support for the Win XP 64bit, I installed it on one computer (CPU 2×2,6GHz AMD MB AMD-690vm FMH – from 2006) and the Acer Extensa 5210 with Intel Celeron 1.6 GHz 64bit architecture. 2.5 gigabytes of RAM – in 2008. withdrew updates via Microsoft update.
    I have installed MUI Language Pack for Czech drivers Win Server 2003. I do a search on HW manufacturers are also available for the Windows XP 64-bit.
    On both computers, I found compared to Windows 7 x86, respectively. 64 bit noticeable acceleration response, with little use of HDD
    IE8 64bit surprised by his speed when loading web pages.
    As another browser I use Maxthon in. 4.9.4.2000. MS Office Works 2007, 2010 have not installed. Avast works O.K., work and play, for example. CMR1, NFS PU 5/2000.
    I note that it is generally applicable system today, detects Wi-Fi, Bluetooth, HP, USM – mouse + keyboard. Played through WMP 11 (codecs Vista Codec Package from Shark 007) all known formats of video / audio.
    Like keepin’ older machines in operation.

    • Hello 19jmsr56,

      Always cool to see what other people are doing with XP x64! :)

      IE8 has its fair share of problems with modern Javascript, HTML5 and CSS3 however. I personally use the last version of the chromium-based Vivaldi browser and Mozilla Firefox on XP x64. Will have a look at your Maxthon version, that ome’s no longer based on Microsofts IE Engine like in the beginning, right?

      As for games, well, there are still modern games which run on XP x64 even if the developer says “Windows 7 and higher”. Look out for games which feature a Direc3D 9.0c renderer or an OpenGL 4 renderer (like games that feature the Unity 4 or 5 engines). Those are the most likely to work. A lot of Indie games also do work even if the specs say otherwise.

      As for gaming hardware I’ve made some good experiences with slightly older Logitech and Saitek hardware, like the Logitech G25 racing wheel or the Saitek X52 or X65-F pro flight sticks. Also, some modern mice are driverless (=work with Microsofts’ own HID driver just fine, including stuff like profile storage and firmware updating), the GEiL Epicgear AnurA being one example.

      USB 3.0 also works just fine with NEC/Renesas as well as SiI and VIA chips. It’s only USB 3.1 where the fun stops for XP users.

      As for my Office solution, I’ve dropped Microsoft altogether. I’m using Libreoffice now, on XP x64 as well as on Linux and FreeBSD UNIX.

      I had to drop the free Avast AV though. Too naggy, sluggish and had a few functional problems as well recently, like forgetting my whitelists upon reboot. Meh. I’m considering having a go with Eset Nod32, even if it costs money. According to my tests on my XP x64 VMs it works rather well, and its detection rates are high too. For now, I’m going without any AV snakeoil, doing risky things only in *nix virtual machines.

      And multimedia? I’m rooting for MPC-HC, best media player ever on XP, at least in my opinion. It can use video acceleration on XP as well, via nVidia CUVID and also Microsoft DXVA1 (VLC and others can’t, only support DXVA2, which needs DirectX 10.0!). Plus, MPC-HC is very light-weight and fast. For music I’m still using good old WinAmp 2.95 with some plugins for FLAC, AAC/M4A, SID, Monkey Audio, AC3 etc.

      Also, there is a pack of hardware that is still provided with XP x64 drivers, like my Areca ARC-1883ix-12 RAID-6 controller. Other things like Corsair Link with USBXpress are harder, because the Silabs driver works on XP x64, but the Corsair Link software itself doesn’t – so I’m just passing the USB device through to a Windows 7 VM running on VirtualBox, does the trick. ;)

      My current hardware running on XP x64 is as follows:

      • ASUS P6T Deluxe (Intel X58 chipset)
      • Intel Xeon X5690 hexcore at 3.46-3.60GHz
      • 48GiB DDR-III/1333 CL8 RAM (Kingston HyperX specified at DDR-III/1866)
      • nVidia GeForce GTX Titan Black
      • Intel 320 SSD 600GB, partition aligned to +1MiB (Intels SSD Toolbox allows for TRIM to be done on XP x64)
      • Areca ARC-1883ix-12 RAID-6 controller with 12 × HGST 7K6000 SAS drives
      • Auzentech X-Fi Prelude 7.1 sound card
      • StarTech PEXUSB3S44V quad-controller USB 3.0 upgrade card
      • IBM Model M keyboard on PS/2
      • Epicgear AnurA mouse
      • Corsair AX1200i power supply with Corsair Link support via Silabs USBXpress® protocol

      There is even an INF hack to enable all versions of nVidia Maxwell-based graphics cards on XP & XP x64, so a nVidia GeForce GTX Titan X should be possible as well. :) Maybe I’ll try that some day.

      Cheers and my greetings to Slovakia! :)

  4. Good day.
    I do not update my windows xp 64 for several years.
    I have a problem, I need to use a 3D program but when starting a notice not find some commands kernel32 library appears.
    My question is there any update for x64, to update my files kernel32 and their dependents?

    The version of my dll kernel32 is: 5.2.3790.5295 (srv03_sp2_qfe.140205-1447)

    Thank you

    • Hello jhon,

      I’d love to say something encouraging here, but I’m afraid I cannot. Updates will not help you. I’ve applied a lot of hacks to get stuff running on XP x64, including the X-COM hack with fileext.dll and all, but whenever you hit a kernel API call you can’t satisfy, it’s the end of the road.

      The kernel API is one thing Microsoft will never do feature updates for. That’s one of the big things Microsoft does when developing a new operating system – bring along new kernel API functions. And software calling those functions will basically define its minimum supported operating system by doing so. There is no way to fix this other than writing your own software layer intercepting and satisfying those calls instead of the kernel32.dll. In essence, a runtime.

      [Wine] does this on Linux and UNIX. Oracle ported parts of Wine for use in their VirtualBox tools, to be able to provide some rudimentary Direct3D and OpenGL capabilities to virtual machines. There is the [KernelEx] project which does this for Windows 98, just exactly this. Bringing more modern Win2000/XP kernel API functions back to Windows 98.

      Unfortunately, I do not know of any software project the likes of KernelEx for Windows XP or Windows XP x64. It seems there are no developers who’d be willing to undertake such a massive piece of work, or who’d be willing to port Wine to Windows in earnest (Oracles’ port is too minimal) to get this done. So: Whenever some recent program for Windows gives you an error like “whoops, I couldn’t find A or B in kernel32.dll”, I fear it’s time to throw in the towel. :(

      I’m solving this by sacrificing a Windows 7 license and running a virtual machine on top of XP x64. As long as you don’t need serious hardware 3D acceleration, it works nicely with VirtualBox < = 4.2.26 or some VMware Player 6.0.x. I'm currently using 6.0.5, not sure if newer ones still work too.

      That’s all you can do, as far as I know.

    • Well, that went downhill fast. ;)

      I think the workaround described as an alternative for the update should be applicable to XP as well though, maybe using [SubInAcl.exe] instead of takeown.exe, as shown on the [MSFN boards]. And while icacls.exe doesn’t exist on XP 32-bit, it’s there on XP x64, so the rest should be ok. One would just need to replace the takeown commands with something that actually works on Server 2003 / XP x64:

      cd "%windir%\system32"
      takeown.exe /f atmfd.dll
      icacls.exe atmfd.dll /save atmfd.dll.acl
      icacls.exe atmfd.dll /grant Administrators:(F) 
      rename atmfd.dll x-atmfd.dll
      cd "%windir%\syswow64"
      takeown.exe /f atmfd.dll
      icacls.exe atmfd.dll /save atmfd.dll.acl
      icacls.exe atmfd.dll /grant Administrators:(F) 
      rename atmfd.dll x-atmfd.dll

      Edit: This will disable the entire OpenType font rendering subsystem however, affecting all applications that use OTF fonts instead of TTF (TrueType) ones. If an application has no fallback for that, this could result in serious display issues I’m guessing. Microsoft says that Windows doesn’t ship with any OTF fonts by default, but 3rd party applications may come with and use them. I sure have a lot of them installed on my system, maybe because of LibreOffice or something…

    • Hello again,

      I’ve just inspected my XP x64 machines, and it seems there is only a 64-bit version of the affected atmfd.dll, which is a bit weird, but ok. I removed the file from %WINDIR%\system32\dllcache\ to prevent restoration and then backupped and deleted it from %WINDIR%\system32\, after which I rebooted. No other steps were taken for removing the file, it works fine that way. Ah, you may need to accept the Windows prompt that comes up afterwards, telling you to repair the system from the installation CD. Just say “no thanks, I’d like to keep it that way” or something like that, and you’re done.

      After that, opening an OTF font gives the error message “[…] is not a valid font file.”. So the 64-bit OTF subsystem is indeed killed off now, thus working around the security hole at the expense of OpenType fonts. So, “fixing XP x64” now means “delete everything that’s affected if you can and dare!” I guess. ;)

      I have not tried to compile and test the [proof-of-concept exploit] though. But it should be ok with atmfd.dll removed. Maybe you’d still better check if the 32-bit version of the file does exist in %WINDIR%\SysWOW64\ as well, just to make sure.

      • Hello,

        I just noticed someone on the RyanVM.net forums mentioned that Windows Storage Server 2003 is supported until October 2016. Any chance you could use this to extend Windows XP x64’s support?

        • Hey tagg,

          Intriguing indeed. Windows Storage Server 2003 does exist in a x64 flavor, and just as you said, its extended lifecycle ends with [2016-10-09]. Still not PosReady2009 level, but better than nothing. Now, just like 5eraph, I have one question: Where do we get the updates? That we need to find out.

          I’d love to ask 5eraph or Syvat myself, but I can’t register at the RyanVM forums. I tried god knows how often, but I just never get activated for whatever reason. I also tried to contact 5eraph via another forum, but never got any reply. So all I can do on the RyanVM boards is to read…

          I’d like to fetch the updates from Microsoft directly, but if 5eraph chooses to use Storage Server 2003 updates to continue support, I might just extract them out of his pack and re-host them. Not overly polite, but yeah…

        • Ok, I found an old Dell Storage Server 2003 disc. We don’t have the corresponding machine any longer, but it’s better in a VM anyway. I’m currently setting the OS up, leaving out the Dell-specific stuff from CD #2 I’m thinking.

          Next step would be to find a reliable way to download the full update setup files (not diffs / Δ’s). Maybe the [Windows Updates Downloader] suggested to me by [Umlüx] could work, I’ll need to check that out. It’s imperative that I can find a way to get the full setup files. The first real live test for that can only happen next month anyway however.

          Edit: Or I could try it with the update from MS15-078…

          • Hi,

            i need the Update for Windows Server 2003 32bit. Can i download the Update for Dell Storage Server 2003 and install it on my Server 2003?

            Best Regards

            • Hey Colo,

              I’d just love to say: “If you know how, then yes!”, followed by “And if you do find out how, please tell me!”, cause I still do not know. My tests with Windows Update Downloader have turned out to be a complete failure. The software just isn’t intelligent enough to determine the sources of any full installers of any updates (not sure if there even are any). Instead, it’s relying on static, compressed “update lists”, and there are none available for Server 2003 x64 even, at least not from the WUP developer. Not to mention Storage Server 2003 (x86_32 included I’m afraid)…

              So, instead, I’m gonna say: “Hell if I know”. At least for now… I’m gonna stay on it, but no promises here. It’s not really looking too good right now, neither for XP x64, nor for Server 2003 32-bit. :(

          • Heyho,

            And I’m none the wiser either. On my Storage Server 2003, it seems the last update *has* been installed, given the version number of atmfd.dll (5.2.2.242 instead of *.241), but neither %WINDIR%\$hf_mig$ nor any of the KB folders in %WINDIR%\ show signs of the corresponding KB number 3079904 at all. It *is* there on my PosReady2009 systems however.

            Currently, I can only shrug my shoulders at this…

          • Hm. Another idea: If download links aren’t obtainable at all, I could just install the updates on Storage Server 2003, and then inspect the corresponding files in %WINDIR%\$NtUninstallKB*$\.

            When looking at the files spuninst\spuninst.txt and spuninst\spuninst.inf there, I think one can use that information to replay the installation on another system, by doing what the SP uninstaller does, just in reverse.

            I would need to either instruct the user very carefully as to how to install the stuff manually (where to copy which file etc.), or write my own installer script that does it for the user – hopefully without failing or wreaking havoc. All of that would be time-consuming however, and there might be a lot of issues that I might overlook during the short testing phase. So that would be a last resort measure only…

            • Hello again,

              I was researching Windows Storage Server 2003 and came across something that may explain why you cant find updates, and I quote:

              Like Windows 2003, Web Edition (but unlike other Windows 2003 products), Windows Storage Server is available only when purchased with new NAS devices from vendors such as Dell, HP, and Iomega. As a result and because NAS products constitute an unusual product category, hardware OEMs, not Microsoft, service Windows Storage Server. You must obtain bug fixes, security fixes, and other product updates from OEM Web sites, not from Windows Update. Microsoft says it will work directly with its hardware partners to ensure that they receive security updates as quickly as possible. However, responsibility for communicating and providing those updates to customers will lie with the vendors.

              I hope this helps-

              • This may actually be quite bad. I have no idea what kind of distribution channels the OEMs are using for this. I may need to look at my Dell Storage Server 2003 CD #2 more closely.

                But there are – I think – two major issues with this way of keeping the system up-to-date:

                1. Can we even get those updates and extract + redistribute them properly?
                2. Can any OEMs set of updates be considered complete for every possible base configuration of Server 2003, or will some OEMs leave out some updates that might be crucial for other systems?
                  • How to identify which are really needed, without having any further public security bulletins for Server 2003?
                • Hello,

                  I postulate that if you can get the right software installed off of that second CD and get it to connect to the Dell servers, the majority of your questions will be answered.

                  Also, I remain pretty optimistic about all of this working. I think worst case scenario will be, like you stated earlier, getting the updates from the RyanVM forums.

                  By the way, I am currently trying to sign up at the RyanVM forums. If they let me in hopefully Svyat will be willing to answer some of our questions.

                  I, as well as many others, appreciate all your effort thus far. Keep up the good work!!

                  • Hey,

                    Unfortunately, that second CD only featured some software upgrades from Microsoft, it was NOT the Dell-specific software I was looking for. Maybe there isn’t any from Dell to begin with!? And it is as I feared, the MS servers aren’t spitting out anything for my Storage Server 2003 other than the [MSRT v5.27].

                    I’ll guess we’ll have to keep an eye on 5eraphs thread in the RyanVM forums and see if somebody can come up with something. Maybe Hewlett Packard or somebody else is actually providing those “secret” MS updates for that system. I’ll also try to get my hands on the HP update software for their NAS systems. Unfortunately, I can’t download their service software with my HP PassPort account, because we don’t have any HP NAS systems, and you need to provide the “confirmation number” of the product (?!?) to download the service DVD. I’ll see what I can do.

                    • Hello

                      In order to download the Hp software, go to google and type in “ProLiant Storage Server Service Release 6.6”. The top first or second link in google will take you almost straight to it, past the part your stuck in, anyhow.
                      I managed to download it, so I know it works. I am not 100% sure if version 6.6 is the best version, it was just the highest numbered version I came across.

                    • Hey,

                      I tried, but I can’t find any direct download link at all. The links to HP all redirect me to the PassPort login, and the Torrent links are just scams. All I could get was the PDF manual, but no ISO files… :(

                    • Ah, thanks a lot, it’s downloading now! :)

                      The Dell WSS03 ISO I had was strangely not bootable. I fixed that by adding a bootloader to it using [nLite]. Just copy the CD to a disk, build a new ISO with nLite based on that data and tell it to add a bootloader (it does that by default I think), done. Just in case you also have that same problem.

        • I’m replying here because the longer part of the thread is already too narrow. In that regard, my website template really sucks, but well.. So this reply is in reference to [this post] and follow-ups.

          As expected, the main setup of HPs ProLiant Storage Server Service Release 6.6 DVD won’t install on my non-HP virtual machine. That aside, most components on the disc can still be installed individually. Just run \HP\X64\PSP\SETUP.EXE on the disc, that’ll fire up the HP Smart Update Manager allowing you to install a few things such as the “System Management Homepage” or the “HP Version Control Agent for Windows”.

          Both will work, but aren’t overly useful. The Insight stuff can’t be installed, as it needs stuff like HP iLO or IMPI drivers, for which my VM lacks the necessary devices. But Insight shouldn’t be useful either, so I don’t really care.

          I also checked all the individual packages to see whether the Smart Update Manager leaves anything out. Apparently, it doesn’t skip anything important. Most of the stuff is just HP software and drivers for SCSI/fibrechannel controllers, network chips, chipsets, etc. What few Microsoft hotfixes you can find on the disc are ancient.

          I also told the Smart Update Manager to look for newer “out of bundle” updates, but this doesn’t bring up anything useful either.

          I checked through most of the stuff now, but can’t find anything useful. I guess it’s like with graphics chip driver updates for notebooks. As soon as you hand responsibilities over to the OEM/system builders, support quality drops to somewhere close to the lowest imaginable level, and all you get is ancient trash.

          The only thing that I found that might be of interest is a 32-bit tool in \HP\X32\SYSTEMUPDATE\I386UPDATE\SETUP.EXE, but it fails to install. It’s something about “Windows Component Setup Updates”, no idea if it’s really relevant. I thought this might be some kind of system updater, but no idea. I need to check whether I can somehow unpack the contents of that EXE, but no luck with 7zip so far.

          I think Dell, HP and others might actually really just not care about rolling out any MS hotfixes they may have access to… :( But please let me know if you find something I missed!

          • Unfortunately I just went through it all as well and found nothing of real substance. I also tried finding any software from both Dell and Iomega but could not turn up anything.

            This sucks. Microsoft may be issuing updates but we’ll never get a hold of them.

            Just out of curiosity, do you know how much it would cost to go directly to Microsoft and purchase the updates? Do you know how someone would contact them in order to set it up?

            • Evening,

              Unfortunately, I do not know any company or system administrator with access to paid support. According to [The Register], the price per server in the first year is $600 with the amount increasing for every successive year. But it seems this depends on the number of servers to be supported as well. And probably on your negotiating skills. I would assume that the support contract would be quite strict, prohibiting the “official” redistribution of such hotfixes as well.

              For a private individual (like me) it’ll likely be impossible to even get that kind of stuff in the first place. I guess you’d need to be a company or some kind of government institution to get access to that stuff. It has also been said that the updates obtained in such a way are specific to certain target systems’ configurations (in essence: Only patching what a given customer is actively running on his servers), so we’d probably not get all exploits fixed anyway.

              For now, it sure doesn’t look too good… :(

          • “As expected, the main setup of HPs ProLiant Storage Server Service Release 6.6 DVD won’t install on my non-HP virtual machine.”

            I had an issue like that with a windows 2003 very small business server oem disc. However, this worked for virtualbox:
            VBoxManage setextradata win2003 “VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor” “HP”
            VBoxManage setextradata win2003 “VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion” “D21”
            VBoxManage setextradata win2003 “VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor” “HP”
            VBoxManage setextradata win2003 “VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct” “ProLiant ML350 G5”
            I’m not sure which one ‘fixed’ the issue, though.

            However, never ever buy any hp server stuff. It just totally sucks donkeyballs. That ML350 G5 has three possible motherboards with different options. The second CPU I have does not work, but the VRM apparently does. It’s a replacement part for an older part number, and should work. The ILO2 thing-me-bob also says the VRM2 works fine. It doesn’t detect a second CPU.
            BIOS options? Only a few.
            ILO2 firmware is still updated, but you need the 2.29 beta firmware to get a remote console with current java versions. Of course the ML350 G5 download page refers you to an ancient version.
            And their website is so incredibly slow. xin.at seems at least ten times faster!

            I also bought the wrong memory for an ml110 g5 because on the hp forums it was mentioned to be compatible. Another six euro down the drain! At least it was cheap. Anybody needs 2x 2 GB of DDR2 800 MHz ECC Registered memory?

            Yes I’m venting a little!
            I also got a HP NC364T quad port nic in a second hand server. Quad port nic, yay! It’s an HP, oh noes! It’s an intel chipset, yay!!
            Updating it to the latest boot image doesn’t seem to work though. I might as well stick iPXE in it. There is an advisory about this card, it should be replaced because of some issue. HP doesn’t want to tell me anything, and as long as I don’t have a support contract or warranty I can bugger off. At least they could have told me if this card can explode anytime or that it’s a small error which may occur. Probably the last, but it just pisses me off they can’t tell me anything about it. No I don’t have any contract, and I’m sure as hell not going to buy any HP client or server stuff ever again.

            • Hey Sjaak,

              That’s actually pretty ingenious. I didn’t know VBoxManage could modify the VM BIOS’ DMI data. However, it doesn’t appear to work for me, probably because I don’t know the proper strings. I had to just make up some BIOS version, and I’m not sure the product string is correct (taken from some text file on the service DVD):

              $ VBoxManage setextradata WSS03 "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "HP"
              $ VBoxManage setextradata WSS03 "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVersion" "F20"
              $ VBoxManage setextradata WSS03 "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "HP"
              $ VBoxManage setextradata WSS03 "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "StorageWorks NAS 2000s"

              And their website is so incredibly slow. xin.at seems at least ten times faster!

              Hah, and that says quite a lot. ;) But yeah, I know, I’ve heard similar complaints from pretty much everyone who had to use the website and the download areas. E.g. fetching a full set of drivers for a notebook is sometimes really painful. I have no idea how such a big global player can afford such a shitty server infrastructure, but whatever…

              Still, it would be nice to fake that HP DMI data in VirtualBox. But I can’t find the proper data to inject anywhere on the web, and I don’t actually have any HP NAS boxes that I could boot up Linux on for a quick # dmidecode. :(

          • Whenever I encounter unusual executable files that refuse to unpack via 7-Zip I just install Universal Extractor…! You need to make sure that it is given permission to associate itself with all of the required archive file extensions and install the Send To Contextual Menu Item…! Normally I just send the packed binary archive to it via it Contextual Menu Item Option…! One more thing…: this particular type of archive is somewhat tricky to forcefully extract with Universal Extractor…: you might need to try all three of the various .msi archive file type specific options…! If on the other hand it’s a InstallShield cabinet archive in disguise you might end up needing to update the unpacker plug-in binaries (they’re Open Source Software BTW too…!).

      • First of all thx for your work to Austria.

        Your trick to delete the atmf.dll in system32 and dllcache doesn’t work for me. It simlpy restores the file and Windows Update offers a bunch of (old) updates regarding that .dll.

        Any ideas?

        • Hi,

          Hmm, let me think… Maybe I didn’t actually do it exactly as described. It could be that I just overwrote the DLL in %WINDIR%\system32\dllcache\ and then the one in %WINDIR%\system32\, instead of deleting them beforehand. One thing’s for sure, you’ll need to deal with the one in the dllcache\ folder first. Also, I did the copying on the command line (with administrative privileges) in case that matters.

          Please try to just overwrite the DLLs in that order. It should work. I don’t have access to my testing VMs right now, but I should be able to check it out again on Monday, to see whether I did something wrong.

  5. Thanks again for the update hosting. I’ll stay with XP x64 unless some horrible network stack DoS like WinNuke would arrive. I’m only running it as a firewalled server with some non-MS services anyways. And with additional anti-virus and anti-malware I feel quite confident it will last for quite a while. It will probably give me some decent uptime in absence of a monthly reboot.

    • Hey again, Hyper,

      I’m even still running Windows 2000 Server SP4 as my server OS, and that’s quite heretical I think. ;) The machine everything (this blog included) is running on is an ancient quad Pentium Pro 200MHz machine, so yeah. I’d actually like to run some BSD UNIX instead – either FreeBSD or OpenBSD – but I have two remaining services including users and data that aren’t easily migrated, so that won’t happen anytime soon. Some of my services have been running since over 10 years now, always migrating everything to newer versions of the same server software.

      But yes, using a 3rd party firewall and only 3rd party or preferably free servers (like Apache, MySQL etc.) updated as far as possible. Such a thing can survive online, given a healthy amount of hardening. It really depends on your threat model too.

      If you do encounter a significant threat to XP x64 / Server 2003 in the future, feel free to report it here to warn other users! Not that there are that many other users here, but yeah. Oh, and good luck to you too! :)

      • Just for your information: If your quad Pentium Pro server is running 24/7 you will be financially better off upgrading to an ivy bridge (22nm) Celeron or similar energy efficient CPU because these newer CPU’s have a much lower power consumption. You probably have return on investment between one or two years. I did the same with an Athlon 64 x2 to a Celeron G1610 and went from 110 watt to 35 watt constant power usage. Quite a difference on my electricity bill!

        • Morning,

          Despite electricity being relatively cheap in my country, you are – of course – correct. That is something I’d never do however, only over my dead body. ;)

          Me and the Pentium Pro processor… we have a history, that goes way back. And so does this server. It’s a really long story, but let’s say I sensed the opportunity to finally get my “dream machine”, the one I always wanted in 2006. In its minimal configuration, but I saved it from the scrapyard at least. Unbelievable that someone would lease this monster and leave it vegetating like that with just one 166MHz CPU and 256MB RAM, and then it’s about to be thrown away? That’s would’ve been just sad. :(

          In the years after that I continually upgraded the machine all the way to its current, (near-)maximum configuration. Given it’s crappy performance by modern standards (at least I learned a lot about software-side optimization), even a lowly Bay Trail Atom could replace the machine easily in that regard.

          The IBM PC Server 704 however is a freaking 60kg tank (hell, you can even jump around on it, while it’s running), and it just refuses to die to this day. There is just something… special about a PC that worked for 20 years straight without any signs of weakness.

          I’m not even sure if I myself can outlive the damn thing! :mrgreen:

          So, you can call the “Zenit/XIN.at” server my hobby. It’s cheaper than cars at least. ;) If you wanna learn more, please see [here]German flag (yeah, that page is in German, I still haven’t translated it…)

          Oh, and factoring in the big UPS I need for it, the switches, quad-port G.SHDSL extender and some other networking stuff, the server consumes slightly over 500W. All the time. There was no “save the trees” GreenIT tech back then after all. :roll:

          • Whoa! That’s a sweeet Windows 2000 system you got there. I understand you like it. Really state-of-the-art stuff from back in the days. I’ll hug a tree to compensate for it’s power use. (Or well, you have all Ökostrom over there in Germany, don’t you?)

            • Hey,

              Austria actually, not Germany. And thank god for that. Germany has a geographically much more fragmented energy provider landscape with much less price war and suspected price-rigging and localized monopolism too. Most larger providers here in Austria are national and compete against others, who are also operating nation-wide.

              All of this adds to our prices being lower by several factors (!). So currenty I’m paying 6.86¢ per kW/h, where it would easily be in the 25¢ per kW/h range in Germany. Lucky me. And they actually have nuclear power plants too, but it’s still that crazy there.

              It’s very hard to even get nuclear power as an individual in Austria, and if you can, it’s just not cheaper than water+wind power, which are our main sources. There is oil/coal too, but not many of those plants are operating anymore.

              Plus, we have a national, private organization for “consumer protection” here. That organization collected signatures from people all over the country in a novel attempt to appeal to energy providers using a large amount of potential customers (comparable to the energy needs of e.g. a larger steel factory), so they got 150.000 people or so, out of an 8 million population, small country, eh? Naturally, every energy provider in the country wanted to pull those 150k over to their side, so that was SOME price war. ;)

              With those people they invited all power companies to tender. So that’s how I got those 6.86¢ instead of 8-something, we basically almost got an industrial-level price due to this event. And that’s how all of this is sustainable. :)

  6. So I take it that no one came up with a last minute method to extend updates for the 2003 codebase, eh? Shoot. I was hoping for a POSReady-style miracle.

    Thanks for hosting this page. I moved off of XP x64 a year or so ago, but it’s good to have these updates for down the road.

    Cheers,
    Jody

    • Hello Jody,

      Just out of curiosity I tried the POSReady2009 hack on XP x64, no luck of course. It makes sense however, given how small-scale POS systems are, just showing a little bit of information and small pictures to a user, or selling them some tickets, etc. A 64-bit address space is really unneeded in that area, which is likely why we’re left dead in the water now. ;)

      If you wish to fully update a XP x64 machine in the future (like when you want to build a XP x64 box for nostalgic reasons), I’d also like to point you to [5eraphs update pack] instead, because it allows users to install everything in one go, like with a real service pack. Makes it easier than having to install a thousand individual updates every time. :)

      • I downloaded the 5eraphs update back. It is a big archive without an installer. How can I install it?

        • Ah, shit…

          I’m afraid I have to apologize; I was under the impression that 5eraphs pack comes with an installer when it apparently does not. It’s meant to be slipstreamed into installation CDs rather than be installed on a live machine, and I wasn’t aware of that.

          It does however come with a file called 5erUpPck.inf, which appears to be an INF definition for the whole pack. You might wish to try and right-click that, and then pick “Install”. I have not tried that myself yet, but I can do that the coming week maybe, just to verify whether it works cleanly.

  7. I am using Windows Classic theme. After installing KB3065979 and restarting, colors were changed for Active Window title bar to be darker, [X] (close) larger, possibly other changes. In case you are experiencing the same issues, here is a FIX:

    On empty desktop area right mouse click and click Properties. Display Properties -> Appearance. For ‘Color Scheme’ re-select ‘Windows Standard’, then the ‘Apply’ button should appear. Click ‘Apply’ and all the good, old colors, etc. should be back again! :)

    • Good morning Gustavs,

      Interesting. I didn’t encounter the issue, but maybe that’s because I’m using a modified classic theme, that I saved under a new theme name on my workstation, so I could revert easily after [hacking the Zune theme into XP x64]. On others it’s just the automatically stored “Modified Theme” that appears when you make changes to the classic one. So I guess it could be that this only happens when you’re on the vanilla classic theme?

      In any case, thanks for reporting this! :)

      • Hi,

        I’m not really sure KB3065979 caused this. If it’s a real issue, perhaps other users will report more about this.

        With “theme” I really only meant classic style buttons, etc. (not XP theme style), it is/was showing as a modified theme, sorry.

        My PC has some hardware problems that need fixing (often no display output even in Bios screen), I needed to do a hard reset / power off & on several times for Windows to load OK and to show display output, maybe that messed up something + uninstalled VMware before this update (later found out that v7.x no longer works on XP). Once I can boot in Windows OK, everything seems to work fine.

        • Hmm, ok. So it’s somewhat inconclusive then I guess. Doesn’t matter, if somebody does encounter the exact same issue, a easy solution is there.

          I hope you can get your machine to work again!

          PS.: Newer VirtualBox versions also seem to be broken on XP, basically every version that’s >=4.3.x seems affected, so I’m staying at 4.2.26 r95022 with VBox. Not sure if this got fixed considering Server 2003’s also affected, but I guess not. Besides a very few free developers, everybody’s dropping support now, with Microsofts’ VisualStudio development environments’ default settings making it easy to break support on top of everything. If you build software with the newer versions, even the most simple binary will fail to run on XP without configuring VStudio properly. And most developers use a new version of VisualStudio to build stuff for Windows…

          And it’s going to get much worse starting tomorrow, especially because cute little helpers like the Kernel32 API extension [KernelEx] don’t exist for Windows NT. So starting tomorrow, NT 5.2 might sadly die faster even than Win9x after its official demise, unless POSReady2009 can buy us 64-bit users some time too, in the 32-bit application support area at least. But given the highly specialized nature of POS systems, I doubt it.

        • Hi again,

          Scratch that, I DID get something similar on one of my testing VMs. The style reverted from my modified classic to a modified Luna (?!?) that had some strange stuff set, like title bar dimensions I definitely did NOT set like that. Given that I’ve seen this in a VM I’d say it can’t be hardware-related. I don’t have a lot of software installed either, so you were maybe right suspecting some Windows Update for being the culprit.

          It can be fixed with relative ease though, so not really that much of an issue.

  8. There was an update that was released on the 16th of june:
    Update for Windows Server 2003 x64 Edition (KB3065979) Updates 3065979 0% Not approved 16-06-2015
    This issue occurs after you install security update 3045171. You experience a crash when you use Windows GDI+ to create text outline-based path objects on a computer that is running Windows 7 Service Pack 1 (SP1) or an earlier version of Windows.

    • Hey Sjaak,

      Umm, yes, see one comment below! :) Already reported by arqarq. I think I will find time to test and add it tomorrow. It’s not that pressing a matter, given it’s got no security implications.

      Thanks!

    • Hey again,

      It’s been tested and added to the list now! :)

  9. Hi,

    I think KB3065979 is missed.

    Thanks for this site, BTW.

    • Hello arqarq,

      My apologies for approving your comment so late, but I’m a bit busy around these days.

      Anyhow, thanks for that! Must’ve missed it, because it was released a bit later, as a hotfix for KB3045171. Luckily, it doesn’t have any security implications. I will add it too the list soon! Maybe tomorrow or Monday (I’m still testing every single one on XP x64 before release).

    • Hello once more,

      I’ve tested KB3065979 now, and as expected, everything works just fine. It’s been added to the list, thanks for reporting this update!

      • Hello,

        Thanks for mentioning me:)
        It’s only few days to EOL.

        • Very well then, let the drums roll! :)

          • Hi,

            So it’s over now:)

            I think additional MS15-066 for VBScript engine is missed (KB3072604). It’s related only to VBScript 5.6 & 5.7 in fact; 5.8 is covered by MS15-065 already. But it would make your list complete:)

            • Hey again arqarq,

              Ah, and there I missed another VBScript update. I should have studied the security bulletins more carefully! Thanks for pointing that out (once again ;) )! I’ll add it to the list tomorrow!

              Edit: And it’s done.

          • Hi,

            There is one more thing about MS15-069/KB3067903.
            There are 2 options for Server 2003 in this bulletin – regular one (‘cewmdm.dll’ version starts with 10.0) and one for Windows Media Format SDK 11 (WMP11 installed in other words; ‘cewmdm.dll’ version starts with 11.0). (‘cewmdm.dll’ is x86 thus can be found in ‘SysWOW64’ only)
            Unfortunately, the latter is available only via WU, so not in x64 XP. But I found this in Microsoft Update Catalog, file name is ‘AMD64-en-windowsmedia11-kb3067903-x64-enu_ff84cb53ba0e0e5e1889c7c4c8d99777f6b98b84.exe’. Other language versions are available, for whatever WMP11 you have I guess (lang-packs for x64 itself are very limited).
            It has updated ‘cewmdm.dll’ from “11.0.5721.5145” to “11.0.5721.5295”.

  10. Windows Updates for Windows Server 2003 R2 x64, up until 2015-07-14: This is a “Patch Tuesday”. Does this mean we get the June the July updates of 2015 as last monthly cycle?

    • Hello Hyper,

      I guess me and my bad English weren’t quite clear on this, my apologies.

      While I can’t vouch for what Microsoft will be doing, 2015-07-14 is the end of the extended product life cycle as [announced] by Microsoft. As long as everything is done by the books, Julys updates will be included here the day after that (because I need some time for testing).

      • Well, one more month then, and all the bugs in Windows XP x64 will be fixed. :rolleyes:

        Nice service here. Thanks.

        • Hi again,

          Heh, yeah. Time flew by pretty quickly since I started doing this actually, it almost feels like it wasn’t worth it for just such a short period of time. Only “almost” though. :) Bad luck, that there is no 64-bit version of POSReady2009, otherwise this could have gone on until 2019, like for 32-bit XP.

          In any case, if you or anyone else decides to set up new XP x64 SP2 systems in the future, I’d recommend [5eraphs post-SP2 update pack] instead of my own stuff, so you don’t have to install like a thousand updates, but just a single one. Makes things much less of a pain. :)

  11. Wow finally I bumped into a site with XP x64 updates. Here I was thinking I was the only guy on planet refusing to give up on what is for me the best windows version ever! Ahh XP x64 forever. Thanks a bunch for making those updates available :)

    • Hey Remi,

      There are very few left, but you’re not alone with XP x64. I found some users on the Grim Dawn forums, then there is the hacker who made running XCOM possible, then 5eraph and quite a few others, like the forgotten user who leaked the UDF 2.5 file system driver for Blu-Ray access and many more. Amusingly, including a lot of Linux/UNIX people these days, including myself. ;)

      But – as sad as it may sound – I can only provide this service up until the end of the extended support lifecycle of Server 2003 R2 SP2, which means 2015-07-14. Microsoft will release updates to paying customers only after that (I’m sure you’ve heard about that). Even if I would pay to receive further updates to my own system(s), I could not legally share them way I am able to do now. :(

      That means if nobody else does it, XP x64 will “end” on that date, officially. Of course you might take proper precautions to make it live beyond that date, but you’ll need to be careful. I have ran Windows 2000 Server online (directly, no NAT) for years now, so yes, if you take proper precautions, Microsoft operating systems can live even past the date of their demise.

      But servers are easier than workstations, as users aren’t actively fooling around on them locally. ;) I’m sure you know all that though. I’ll just keep doing what I can until July. Maybe there will be a way to share “closed” updates in the future. WinXP 32-Bit will live until 2019 given the POSReady2009 hack, so maybe… :)

      Edit: Ah, you might also be interested in [this], a few tricks to get UDF 2.5, exFAT, ASPI and EXT file systems to work on XP x64. The SSD TRIM infos though, well… I’d still recommend using a SSD which has proper support for XP x64, like Intels, Samsungs, Corsairs etc. ;)

  12. I got offered KB3000988 once before, in october 2014!

    And my WSUS gave two extra security updates:
    KB3030398 vbscript 5.7
    KB3030403 vbscript 5.6
    I do have the vbscript.dll file on my XP x64, with a lower version than the version in KB3030403. Maybe vbscript 5.7 is installed when IE7 is installed, I wouldn’t know, I don’t think I have ever installed IE7.

    • Hey Sjaak,

      I noticed the errors KB3000988 is likely supposed to fix just recently on my main XP x64 machine, so I suppose they broke something, and had to roll out that fix again, maybe in an updated version? See here, for the accounts NETWORK SERVICE and LOCAL SERVICE (both still operating as intended though it seems):

      Windows cannot find the local profile and is logging you on with a temporary profile.
      Changes you make to this profile will be lost when you log off.

      And that on every reboot. The wording isn’t exactly as described, but well, whatever.

      As for the others, thanks for spotting that. One of my 2003 Servers which hadn’t been updated for 3 months also got it, but I wasn’t sure from which month that update was, so I didn’t pay too much attention. The ones on the latest patch level didn’t get it though, for whatever reason. I’ll include it tomorrow, when I have some time. I do have VBS 5.7 installed on XP x64 myself, and sometimes it’s being used too, so thanks again for pointing that out!

      Edit: Ah, now I know why some servers didn’t get it… Those had VBScript 5.8 installed, just like my XP x64 too, when only 5.6 and 5.7 are affected on NT 5.2 systems!

  13. I think it’s this for this month:

    Security Update for Windows Server 2003 x64 Edition (KB3004361)
    Security Update for Windows Server 2003 x64 Edition (KB3013455)
    Update for Windows Server 2003 x64 Edition (KB3020338)
    Cumulative Security Update for Internet Explorer 6 for Windows Server 2003 x64 Edition (KB3021952)
    Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 x64 Edition (KB3021952)
    Cumulative Security Update for Internet Explorer 8 for Windows Server 2003 x64 Edition (KB3021952)
    Security Update for Windows Server 2003 x64 Edition (KB3023562)
    Security Update for Windows Server 2003 x64 Edition (KB3029944)

    • Morning,

      Interestingly, KB3020338 is a complete oddball. The MS15-003 security bulletin makes no mention of Server 2003 and hence gives no rating. My own Server 2003 doesn’t tell me to install it either. And yet it exists. Only thing I could do would be to add it with unknown rating if it installs nicely on XP x64. I’ll just get to it then!

      Edit: Ah, I overlooked it, as it’s an optional update. Still no ratings available for Server 2003, and the RDP8 components it mentions don’t exist on 2003. Only library it’s updating on 2003 is oleaut32.dll, so I’ll call it an “OLE update”.

      • The security bulletin MS15-003 mentions KB3020388, not KB3020338 which seem to have made you confused.

        KB3020338 fixes a problem with the KB3006226 security update.

    • Please note that there seems to be some trouble with [KB3013455], which is yet another font-related update. We seem to be getting lots of these in the past months, and there is always some trouble (Why the hell are parts of Microsofts font system sitting in the OS kernel by the way?!?).

      Let me quote Microsoft:

      “Known issues with this security update

      • After you install security update 3013455, you may notice some text quality degradation in certain scenarios. The problem occurs on computers that are running the following operating systems:

        • Windows Server 2008 SP2
        • Windows Server 2003 SP2
        • Windows Vista SP2


        Microsoft is researching this problem and will post more information in this article when the information becomes available.”

      From what I’ve heard today, this seems to affect mostly (or maybe entirely?) 32-bit machines. I tried to reproduce the issue on three XP x64 machines and two 32-bit Server 2003 R2 SP2 machines (1 physical, 4 VMs) with no “luck” so far.

      Given its security-related relevance, I’ll leave it in the list and update it as news come trickling in from Microsoft.

      This issue has been reported by [Tweakstone]German flag.

      Edit: I kept playing around, and with some affected fonts mentioned by Tweakstone I managed to reproduce the cosmetic font rendering issue on the following operating systems (clearly affected fonts are for instance Times New Roman and Arial):

      • Windows Server 2003 R2 SP2 (32-Bit)
      • Windows XP Professional SP3 / Windows Embedded POSReady2009 (32-Bit)
      • Windows XP Professional x64 Edition SP2 (64-Bit)
  14. Have you missed this one, or was this updated after black tuesday? https://support.microsoft.com/kb/3014029

    • Hey Sjaak,

      No, KB3014029 came with the rest of them on Tuesday. I intentionally left it out for XP x64, as the OS simply has no Internet Authentication Service (or “Network Policy Server”, as it’s been called since Server 2008), and thus no RADIUS server. To my knowledge, IAS cannot be installed on XP x64 either.

      It should be possible to verify this by running the following from the shell:

      netsh aaaa

      “aaaa” stands for the [authentication, authorization, accounting, and auditing] database. It not being present should indicate the non-existence of IAS. The Server 2008 equivalent of this would be:

      netsh nps

      On XP x64, the reply of netsh to this command is:

      The following command was not found: aaaa.

      So my conclusion was: IAS does not exist on XP x64, so no MS RADIUS server exists on XP x64, and as a consequence, KB3014029 should be unnecessary. I’m not sure it would even install, but I’ll try that out.

      Edit: The update actually does install on XP x64. I still don’t think that it makes any sense though. Installing libraries that are never used by anything? Maybe you have more insight here? I guess I could check whether the older versions of those updated libs are present on my other systems. Problem is, if they are, I can’t check whether they were ever used, as I have NTFS access time stamps turned off for performance reasons.

      Edit 2: Hm, interesting. The libraries for both 32 and 64 bit (iassam.dll) do exist on XP x64. I do not know why, but them being there does present a problem. Also, I do have access time stamps switched on for my SSD on one system, and last access was in October 2011. Whether that was for another update or what I cannot say. Given that evidence, I will add KB3014029 to the list shortly! Should’ve checked this more thoroughly by actually unpacking the update and comparing its contents to my systems libraries.

      • Yeah, I only looked if the file existed, which it does.. Windows update isn’t that clever, so it probably only looks if the file exists.

        Hmm, maybe I should try to copy a few windows 7 files (that need an update) to an XP installation, perhaps the windows updater is really stupid ;-)

        • :lol:

          Well, it ain’t bad that way. Since the library is there, any software could call functions from it. So in theory I could write my own XP x64 compatible server software that calls flawed functions from iassam.dll, thus making my service vulnerable to DoS attacks.

          I mean, yeah, that ain’t gonna happen. But I guess it’s better to have the newer version than not.

          I will adjust my procedures for “questionable” updates accordingly, and check the systems more carefully for the next update rounds in case there are more updates for services that shouldn’t exist on XP x64 – some of their files might still be there.

  15. Hi. Here’s an old update for XP x64 systems that you did not have listed before but is CPU related: KB936357
    http://support.microsoft.com/kb/936357
    Includes newer update.sys files for Windows XP x64 SP1/SP2. Install 936357 update along with the 932370 and 953955 updates.

    • Hello EP,

      Thank you for your report! According to my logs, this should be an optional update that is supposed to be distributed via regular Microsoft Update / Windows Update from well before the EOL of Windows XP. At least, the more severe behavior (0x0000007E BSOD) is only possible on 32-Bit systems anyway.

      I have checked my installations, and since I tend to install all important as well as optional updates, it should already be there. According to my findings, my older installation from 2009 already had KB936357 installed, whereas the newer test VMs did not. Could it be, that KB936357 was later consolidated into a rollup package, or maybe replaced by an even newer update? It’s from 2007, so I’m guessing there should be a reason why my newer XP x64 installations no longer install it from Microsoft Update by default.

      Also [seems to have caused some trouble] for some people.

  16. http://support.microsoft.com/kb/3011970

    “This update (version 5.1.31010.0) cannot be installed on Windows XP or Windows Server 2003 computers. Update 2977218 (version 5.1.30514.0) is the latest update for those systems.”

    Oh noes! Well, you’re not really missing out. But here’s how to install on these systems:
    First, get the 32-bit silverlight, from go.microsoft.com/fwlink/?LinkId=229320 (verify this is version 5.1.31010.0 after the download).
    Run the installer, but do not click ‘install’ or otherwise continue the installer.
    Go to the systemdrive, probably c:\, there’s now a new directory with a random name. In it are a few files: silverlight.7z, install.exe, silverlight.msi, install.res.dll and some $shutdown$ file.
    Copy the silverlight.7z and the silverlight.msi to a different directory. Now it’s safe to end the silverlight installer.
    Extract silverlight.7z, it contains only a silverlight.msp file. Keep the .msp and the .msi file, get rid of the rest.
    Now you just install the msi, and patch the msi with the .msp file.

    You might need another machine (with a supported os) before the installer will extract itself. Have not tested that. The microsoft site will try to downgrade you, but an other silverlight test site was working as it should.

    • Hey,

      Checking what it does, it seems the changes are negligible for XP x64 / 2003:

      “Microsoft PlayReady Digital Rights Management (DRM) content will now play in Enhanced Protected Mode (EPM) in Internet Explorer on a computer that is running Windows 8 or Windows 8.1.”

      Thus, I’ll leave it out of the list. But there is one thing that amuses me, and that’s “silverlight.7z”. Pfh, .7z, seriously Microsoft? Funny to have them recognize the superiority of an open source file archiver / compression library instead of using .cab or something. ;)

      Thanks for the instructions by the way, this might be applicable for other upcoming feature updates of certain software components on XP x64.

      • Oh, I thought it was a security update! Never intended it to be in this list anyway, but here seemed a good place to post it ;-)

        • Now you made me a bit nervous! ;) But of course this would be the right place, or so I wish to think at least. It’s good to have a watchful pair of eyes to double-check what I’m doing! :mrgreen:

          I re-checked the security bulletins since last month, but KB3011970 is not there despite having been released in December. Given what little information we have (like no severity rating, no related security bulletins) I guess it’s safe to assume it’s just a feature update for whatever “Microsoft PlayReady” and “Enhanced Protection Mode” DRM are. I don’t really know my way around SilverLight or MS DRM solutions for it I have to admit, never knowingly used it either.

          I wouldn’t be surprised to see your technique applied for other software / updates in the future though…

  17. This one got added yesterday:
    https://support.microsoft.com/kb/3011780

    • Hey Sjaak,

      Thanks for reporting this! I might have otherwise noticed it too late. KB3011780 has now been tested and integrated in the list of November updates. This is a really nasty one for users of Microsoft Active Directory domains, as the bug allows for privilege escalation to the level of a domain administrator!

  18. New this month:

    Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2003 for x64-based Systems (KB2978124) Security Updates 2978124 0% Not approved 11-11-2014
    Security Update for Microsoft .NET Framework 4 on Windows Server 2003, Vista, Windows 7, Server 2008, Server 2008 R2 x64 (KB2978125) Security Updates 2978125 0% Not approved 11-11-2014
    Security Update for Windows Server 2003 x64 Edition (KB2989935) Security Updates 2989935 0% Not approved 11-11-2014
    Security Update for Windows Server 2003 x64 Edition (KB2991963) Security Updates 2991963 0% Not approved 11-11-2014
    Security Update for Windows Server 2003 x64 Edition (KB2992611) Security Updates 2992611 0% Not approved 11-11-2014
    Security Update for Windows Server 2003 x64 Edition (KB2993958) Security Updates 2993958 0% Not approved 11-11-2014
    Security Update for Windows Server 2003 x64 Edition (KB3002885) Security Updates 3002885 0% Not approved 11-11-2014
    Cumulative Security Update for Internet Explorer 6 for Windows Server 2003 x64 Edition (KB3003057) Security Updates 3003057 0% Not approved 11-11-2014
    Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 x64 Edition (KB3003057) Security Updates 3003057 0% Not approved 11-11-2014
    Cumulative Security Update for Internet Explorer 8 for Windows Server 2003 x64 Edition (KB3003057) Security Updates 3003057 0% Not approved 11-11-2014
    Security Update for Windows Server 2003 x64 Edition (KB3006226) Security Updates 3006226 0% Not approved 11-11-2014

    • It’s done!

      By the way, I can no longer properly edit this article. The many nested lists totally fuck up the scripts checking the HTML code for sanity and security. This produces non-deterministic errors in the resulting page. Great. So I edit, then grab the code and paste it into the database manually. Et Voilà! The power of web 2.0. ;)

  19. Today I had to explain – yet again – the differences between XP and XP x64…. It’s NT5.2, for pete’s sake!
    At my work we connect to a database/system of a customer. All kinds of whine and argue about security for their new system. (They are migrating from citrix, to…. microsoft forefront/uag/whatever it’s called this month)

    When I try old credentials, for a citrix system I can logon to two servers which I shouldn’t have rights to, I guess. I might have Administrator rights on the one server I tried. I should really try if I do have those rights.

  20. I’ve been looking at few post-SP2 update lists, such as these: http://support.microsoft.com/kb/935640
    http://blogs.technet.com/b/yongrhee/archive/2012/04/01/list-of-failover-cluster-related-hotfixes-post-service-pack-2-for-windows-server-2003-sp2.aspx

    Of course we want a newer storport, tcpip and smb driver!
    WindowsServer2003.WindowsXP-KB957910-x64-ENU.exe -> storport update
    http://support.microsoft.com/kb/950224 -> netbt, smb, tcpip .4331 versions
    http://support.microsoft.com/kb/973097 -> smb.sys 5.2.3790.4577
    tcpip.sys gets update to 4318 with http://support.microsoft.com/kb/951748 / MS08-37, so that’s not really something new, but netbt.sys and smb.sys are at 3790 (SP2) versions after a new install + updates here.

    tcpip.sys 4776: http://support.microsoft.com/kb/2309312
    more info here: http://kbupdate.info/ and here http://www.mskbfiles.com/

    Even microsoft recommend some of these updates themselves in an enterprise situation: http://support.microsoft.com/kb/2775511
    Well, this is for windows 7, but I think the same thinking can be applied to windows 2003/XP x64 updates; if it fixes basic errors in things that are used often (tcp/ip, smb, dns), it should be fixed.

    • Hey Sjaak,

      Sorry for my late reply. I have taken a look at a few of the components listed at the sites you linked to. To be perfectly honest, I’ve just been to lazy to work my way through all of that stuff. Many updates also seem unrelated to XP x64 (like the clustering-related fixes).

      Also, I’ll need to study the updates in-depth, as I tend to be very careful when updating extremely critical kernel space components, such as ntfs.sys, storport.sys or tcpip.sys. I’m not saying one shouldn’t update to those newer kernel drivers, but touching and changing those components should be well-thought-out.

      I hope I can beat my laziness and take a proper look at the stuff in the nearer future. :)

  21. I also have KB2918614 as the actual security update for the windows installer service. KB942288 doesn’t seem to have been updated?

    • Hey Sjaak,

      That’s interesting. KB942288 came in on both my Server 2003 R2 testing VMs, so thats why I’m adding it. Neither wants to install KB2918614, at least not via regular Windows Update. I’ll take a look at it, test it and then add it though, as it seems it’s flagged as “important”. Strange that Windows Update doesn’t seem to want to install it. Maybe in a second updating round, I’ll test that right now.

      Thanks for pointing that out!

      Edit: Ok, got it. I missed KB2918614 because it needs the new (whatever) KB942288 installed. So KB2918614 will only appear and install via Windows Update after that dependency is met. I still have to test that thoroughly on my XP x64 VMs to make sure it works the same way there. If it works out, I will add KB2918614!

      Thanks for your help!

      • There might be some problem with KB2918614:
        http://www.edugeek.net/forums/windows-7/140586-possible-issue-kb2918614-causing-overlapped-i-o-operation-progress-errors.html

        With this update I can’t get a visual c++ redist to install via OPSI. After I removed this update, it is again possible.

        • Hey Sjaak,

          And [there’s more than that]. It seems KB2982791 (amongst others) may cause a serious fuckup. I got information from several places that the BSOD may occur if Open Type Fonts (*.ttf or *.otf, you can identify them by their icon) are installed and registered in non-standard font paths. That’s pretty bad stuff, and MS recommends deinstallation. KB2982791 and others have also been pulled out of Windows Update for now, but I’m sure you’re already aware.

          You can identify OTF fonts by looking at the icon, as said. Instead of the “TT” icon that stands for Microsoft TrueType, it’s an “O” one, a bit like this:


          (TTF)


          (OTF)

          So far, my VMs are all working fine, but for now I’m not deploying any affected updates on my live systems, despite their font installation paths looking ok. Who knows what’s going to happen. I should probably flag the update here too.

          Edit: Done.

  22. Has anyone been successful in getting an upgrade in place of the XP Pro x64 OS to either VISTA, Win7/8/8.1 or perhaps a server on like 2008 to work? I have a machine that I would like to migrate to Win 7 x64, but I don’t want to deal with a clean install. It has too much configured and installed to start over from scratch.

    Thanks,

    Bert

    • Hello Bert,

      As you’re probably aware of by now, XP x64 does not upgrade to Windows 7 x64, also not to any other newer NT operating system I know. I tried this briefly only to have the installer tell me that I can’t upgrade from XP to 7 directly. I also tried this with Windows Vista Business x64 SP1 with the exact same result.

      The Vista case is funny though, as the installer will tell you that you need a 32-Bit version of Windows XP to upgrade directly. So maybe – just maybe – one could hack together a solution rather easily for Vista. As of now I am not aware of any such hack though.

      Maybe someone else can be of assistance here. There are probably only very, very few people reading this website though, so you may also want to ask [around here].

      Sorry I can’t be of any better help with this problem. :( Probably too busy keeping XP x64 alive to actually investigate upgrade paths. In the future, if I do decide to go with Win7 instead of Linux or UNIX, this will be a problem for me too. But I’d rather not dare anyway, given the significant amount of add-on kernel drivers I’m running (exFAT, EXT2/3/4, AnyDVD HD, UDF 2.5, Avast AV, TrueCrypt and more plus a truck load of actual device drivers).

      • Thanks. Yeah, that’s exactly what I have been running into as well.

        I was even trying to find a VISTA beta or something, to see if it has a upgrade option. Anyway, I’ll let you know if I figure it out. I bet the code is still in there, just disabled.

        • Hey Bert,

          I’ll have to admit, I never fooled around much with any of the Microsoft OS installers so far, only a little bit of nLite modding and that’s it.

          I’m looking forward to seeing your results, whether good or bad. One would assume that upgrading XP x64 to Vista x64 ‘should’ be easier than XP 32-Bit to Vista x64. But then again, XP x64 does have a different code base with NT 5.2 / Server 2003 x64 at its core, probably messing with the upgrader, so I dunno…

  23. Whoops, of course the .net 2 and .net 4 updates should also include the x86 component, because the 32-bit version also gets installed on a 64-bit OS.

    • Hmm, I’m not sure I follow. I tried to install the 32-Bit version of KB2932079 just to check, and it wouldn’t install, telling me that none of the products the update applies to are installed on my machine.

      I thought the .Net frameworks always follow the bitness of the operating system, and any .Net code can run on whatever framework, whether 32-Bit or 64-Bit x86?! Like Java. Is this not correct? Did I miss any update I should include?

      • You are correct, it isn’t needed. I got a bit confused. The .net 4 framework has a few updates that have a combined x86 and x64 package, and some are separate.

        I don’t know about the internals of the .net framework but in %systemroot%\microsoft.NET\ you have two directories: framework and framework64.

        Oh well, then I can throw something out of my hotfix package again.

  24. What I always install on XP x64 machines:

    RDP 6.0 client
    WindowsServer2003.WindowsXP-KB925876-v2-x64-ENU.exe” /quiet /norestart /nobackup

    exFAT update
    WindowsServer2003.WindowsXP-KB955704-x64-ENU.exe” /quiet /norestart /nobackup

    storport update (sata stuff also runs on the scsi subsystem)
    WindowsServer2003.WindowsXP-KB957910-x64-ENU.exe” /quiet /norestart /nobackup

    RDP 6.1 client (this is a security update, which is why XP x64 also has a RDP6.1 client. You might be able to install it without first installing RDP6.0)
    WindowsServer2003.WindowsXP-KB2481109-x64-ENU.exe” /quiet /norestart /nobackup

    Windows Image Component, mostly to prepare the system for a .net lamework install
    wic_x64_enu.exe” /quiet /norestart /nobackup

    There are of course lots of other post-SP2 hotfixes. I’ll copy the useful lot:
    Update for Windows XP x64 Edition (KB2158563) 2158563 (timezone stuff)
    Update for Windows XP x64 Edition (KB2388210) 2388210
    Update for Windows XP x64 Edition (KB2443685) 2443685 (timezone stuff)
    Update for Windows XP x64 Edition (KB2492386) 2492386
    Update for Windows XP x64 Edition (KB2524375) 2524375
    Update Rollup for ActiveX Killbits for Windows XP x64 Edition (KB2562937)
    Update for Windows XP x64 Edition (KB2570791) 2570791 (timezone stuff)
    Update for Windows XP x64 Edition (KB2607712) 2607712
    Update for Windows XP x64 Edition (KB2616676) 2616676
    Update for Windows XP x64 Edition (KB2633952) 2633952 (timezone junk)
    Update for Windows XP x64 Edition (KB2641690) 2641690
    Update for Windows XP x64 Edition (KB2661254) 2661254
    Update for Windows XP x64 Edition (KB2718704) 2718704
    Update for Windows XP x64 Edition (KB2748349) 2748349 (VSS fix)
    Update for Windows XP x64 Edition (KB2749655) 2749655
    Update for Windows XP x64 Edition (KB2756822) 2756822 (timezone)
    Update for Windows XP x64 Edition (KB2779562) 2779562 (timezone)
    Update for Windows XP x64 Edition (KB908521) 908521
    Update for Windows XP x64 Edition (KB910437) 910437
    Update for Windows XP x64 Edition (KB911897) 911897
    Update for Windows XP x64 Edition (KB914784) 914784
    Update for Windows XP x64 Edition (KB916846) 916846
    Update for Windows XP x64 Edition (KB922582) 922582
    February 2007 CardSpace Update for Windows XP x64 Edition (KB925720)
    Update for Windows XP x64 Edition (KB927891) 927891
    Update for Root Certificates for Windows XP x64 Edition [May 2013] (KB931125)
    Update for Windows XP x64 Edition (KB931836)
    Update for Windows XP x64 Edition (KB932596)
    Update for Windows XP x64 Edition (KB933360)
    Update for Windows XP x64 Edition (KB942763)
    Update for Windows XP x64 Edition (KB942840)
    Update for Windows XP x64 Edition (KB951072)
    Update for Windows XP x64 Edition (KB955759)
    Update for Windows XP x64 Edition (KB955839)
    Update for Windows XP x64 Edition (KB959772)
    Update for Windows XP x64 Edition (KB961118)
    Update for Windows XP x64 Edition (KB967715)
    Update for Windows XP x64 Edition (KB970653)
    Update for Windows XP x64 Edition (KB973687)
    Update for Windows XP x64 Edition (KB976098)
    Update for Windows XP x64 Edition (KB979306)
    Update for Windows XP x64 Edition (KB981793)

    These are update until half of 2013 and which I approved in WSUS.
    I should make a list with all XP x64 updates… well next time.. and you have WSUS running yourself now as well, don’t you?
    Anyway, there are maybe ten post-SP2 hotfixes that are really worth updating. Fixes for weird problems, better performance, etc. Timezone fixes… well, who needs’em.

    Bwah, time to go to bed…..

    • Hey Sjaak,

      I do have a Server 2003, but no WSUS. I’ve never worked with that. So what I’m doing is checking for regular Windows Updates every now and then (definitely will do on patch tuesday), and that’s it. Can you recommend a better way? If WSUS is somehow better, maybe I can set it up on my Server 2003 VM.

      And thanks for the list you compiled! It seems some of those I already do have installed via regular Windows Update on XP x64. When I have time, I can compare with my installation and look at the ones I don’t have, so I can maybe add them to my list even if they’re pre-April, like the Win32_processor updates.

      Thanks for your time! :)

      • Well, I tried various ways in the past, but WSUS is the only thing that works for me. No more looking for KB numbers, and keeping a list of what is what. WSUS is pretty quick, most of the time the KB webpages aren’t even online yet.

        Here is the list of this month:
        Security Update for Windows Server 2003 x64 Edition (KB2939576) 2939576 Not approved
        Security Update for Microsoft XML Core Services 6.0 Service Pack 2 for x64-based Systems (KB2957482) 2957482 Not approved
        Security Update for Windows Server 2003 x64 Edition (KB2957503) 2957503 Not approved
        Security Update for Windows Server 2003 x64 Edition (KB2957509) 2957509 Not approved
        Cumulative Security Update for Internet Explorer 7 for Windows Server 2003 x64 Edition (KB2957689) 2957689 Not approved
        Cumulative Security Update for Internet Explorer 8 for Windows Server 2003 x64 Edition (KB2957689) 2957689 Not approved
        Cumulative Security Update for Internet Explorer 6 for Windows Server 2003 x64 Edition (KB2957689) 2957689 Not approved

        XML6 is a bit of a thing; It’s installed on XP 32-bit by default, on XP x64 and 2k3 x64 you might get it when you install a program like AutoCAD or something. If you need a new installation of MSXML6 you get this KB number, and you’re set. This is a full install.

        • Aw man, why are you faster than me? WSUS I guess. ;)

          I just finished all my tests on one of my XP x64 VMs, I will re-run them on a second VM tomorrow morning, and then publish the files including their Server 2003 security ratings if all goes well. No heavy binary modifications necessary this time around.

          I will also include the new Malicious Software Removal update (KB890830), even if you can still download and install that via regular Windows Update on XP x64, who knows, maybe one day we can’t do that anymore.

          The MSXML6 SP2 update installed just fine on my box by the way (which has only official updates and my compiled updates from May installed). It prompted me for a full installation, which completed just fine with no issues. So I guess that’s ok, like you said, a full install.

          Edit: All installation tests have been a success, updates for 2014-06 have been published.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" cssfile="">

(required)

(required)