locked
WinXP security patches: Locating/copying these for use on offline system? RRS feed

  • Question

  • 'Ow do everyone! :-)
    I'm actually a domestic Windows customer (Running XP Professional mainly, with a couple of boxes running Home) but because of the nature of my query and the fact that I'm a long-term poweruser, I thought TN would be a more appropriate place for this post. :-)

    Anyhow...Due to recent lifestyle changes, I recently ceased to have a home Internet connection - And now my only option for obtaining updates for Windows and other software is to download them via a public or friend's computer, save them to disk, then take them home for application to my own network.
    At present; Two of my machines are patched up roughly as far as KB-2121546, which was the last patch released before I lost my connection. However - Looking at the updates list on the machine that I'm using here - I can see at least ten further updates (At least seven of which look critical) and with a few of my machines clagged-up and overdue on Windows reinstalls, I'd like to copy and archive a collection of these downloaded patches that could then be applied to my PCs again after reinstallation without having to trawl through the MSDN download pages and download all 125+ patches manually! :-D

    Because of the nature of Windows security/stability patches (I'm referring to the patches automatically downloaded by UPDATE.EXE and installed by WINLOGON.EXE on shutdown) and the way they're rolled out, I'd find updating much quicker and easier if I could simply copy these updates from a machine that had already downloaded/applied them for use as outlined above. However, I cannot seem to identify where in the Windows filesystem these downloaded patches are stored, and whether or not the patch is kept on the machine after update and not simply deleted.

    I've already had a trawl through the Windows trees on a few PCs and found a large number of hidden folders there (All conforming to $NtUninstallKB [...]$ ) that look like they might be a likely candidate, but Windows denies access to those folders by default. Although I could probabally CACLS myself access via safe mode, I'd rather not try that on my friends computer from which I am making this post! :-)

    If someone could please tell me where UPDATE.EXE/WINLOGON.EXE normally store these downloaded patches, and any special procedures (Bar simply executing the patches in KB number order) required for installing them on my own offline computers, then I'd be most greatful. :-)

    Farewell for now, and many thanks in advance for any help! >:-)
    +++ DieselDragon +++

    Friday, November 12, 2010 8:34 PM

Answers

  • You  can download individual updates from the Catalog and save to be installed later.
    http://catalog.update.microsoft.com/v7/site/Home.aspx

    How to download updates and drivers from the Windows Update Catalog or from the Microsoft Update Catalog
    http://support.microsoft.com/kb/323166

    Search for a download
    http://www.microsoft.com/downloads/search.aspx?displaylang=en

    Security updates are available on ISO-9660 CD image files from the Microsoft Download Center
    http://support.microsoft.com/kb/913086


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    • Marked as answer by DieselDragon Wednesday, November 17, 2010 6:22 AM
    Saturday, November 13, 2010 1:54 PM
  • If your XP OS has SP3 installed, you can use Autopatcher to get all the updates. Save all the folder in which all your downloads have been made to disc or USB stick, then you can update your systems in one go from that.

    http://www.autopatcher.com/downloads/

    read the user guide

    <DieselDragon> wrote in message news:6413cc9a-bc48-4e9b-83cf-729c898adc7f@communitybridge.codeplex.com...

    'Ow do everyone! :-)
    I'm actually a domestic Windows customer (Running XP Professional mainly, with a couple of boxes running Home) but because of the nature of my query and the fact that I'm a long-term poweruser, I thought TN would be a more appropriate place for this post. :-)

    Anyhow...Due to recent lifestyle changes, I recently ceased to have a home Internet connection - And now my only option for obtaining updates for Windows and other software is to download them via a public or friend's computer, save them to disk, then take them home for application to my own network.
    At present; Two of my machines are patched up roughly as far as KB-2121546, which was the last patch released before I lost my connection. However - Looking at the updates list on the machine that I'm using here - I can see at least ten further updates (At least seven of which look critical) and with a few of my machines clagged-up and overdue on Windows reinstalls, I'd like to copy and archive a collection of these downloaded patches that could then be applied to my PCs again after reinstallation/without/ having to trawl through the MSDN download pages and download all 125+ patches manually! :-D

    Because of the nature of Windows security/stability patches (I'm referring to the patches automatically downloaded by UPDATE.EXE and installed by WINLOGON.EXE on shutdown) and the way they're rolled out, I'd find updating/much/ quicker and easier if I could simply copy these updates from a machine that had already downloaded/applied them for use as outlined above. However, I cannot seem to identify where in the Windows filesystem these downloaded patches are stored, and whether or not the patch is kept on the machine after update and not simply deleted.

    I've already had a trawl through the Windows trees on a few PCs and found a large number of hidden folders there (All conforming to*$NtUninstallKB* [...]*$* ) that look like they might be a likely candidate, but Windows denies access to those folders by default. Although I could probabally CACLS myself access via safe mode, I'd rather not try that on my friends computer from which I am making this post! :-)

    If someone could please tell me where UPDATE.EXE/WINLOGON.EXE normally store these downloaded patches, and any special procedures (Bar simply executing the patches in KB number order) required for installing them on my own offline computers, then I'd be/most/ greatful. :-)

    Farewell for now, and many thanks in advance for any help! >:-)
    *+++ DieselDragon +++*

    • Marked as answer by DieselDragon Wednesday, November 17, 2010 6:23 AM
    Sunday, November 14, 2010 5:03 PM
  • Consider this utility:

    http://download.wsusoffline.net/

    It will allow you to selectively download Windows and Office updates. It will even allow .iso compilation. I've only recently started using it, but I am very impressed.

    • Marked as answer by DieselDragon Wednesday, November 17, 2010 6:23 AM
    Monday, November 15, 2010 8:32 PM

All replies

  • You  can download individual updates from the Catalog and save to be installed later.
    http://catalog.update.microsoft.com/v7/site/Home.aspx

    How to download updates and drivers from the Windows Update Catalog or from the Microsoft Update Catalog
    http://support.microsoft.com/kb/323166

    Search for a download
    http://www.microsoft.com/downloads/search.aspx?displaylang=en

    Security updates are available on ISO-9660 CD image files from the Microsoft Download Center
    http://support.microsoft.com/kb/913086


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    • Marked as answer by DieselDragon Wednesday, November 17, 2010 6:22 AM
    Saturday, November 13, 2010 1:54 PM
  • Hi, Pa Bear!
    Thanks for the reply and the useful links! :-)

    Using those as reference material, I've just spent most of the afternoon looking further into the way that the Windows Update process works (Including that huge white paper about Update.exe!) and after some digging around on this machine with an Admin logon, I managed to find and explore the <tt>%SystemRoot%\$Hif_mig$</tt> tree which at first seemed to be what I was looking for; A local repository of patch files that I could simply copy onto my own machine.
    However, more reference to the Update.exe WP clarified that these are local Hotfix Migration (HFM) repositories kept so that patches can be reapplied automatically after an SP upgrade, and are dynamically downloaded...So the HFM trees sat on this XP Home SP3 computer could well be missing some of the bits I'd need to apply them to my XP Pro SP2 systems at home. :-|

    After looking at the links that you gave me earlier, I can see three possible routes to my solution:

    1. Downloading the ISO'd patch archives:
      Although this would give me every concievable patch and service pack for every MS operating system supported since around Sep 2006 (Which would also allow me to update my WinNT, 2K and Server 2003 boxes into the bargain) the sheer data overhead involved would make this a very inefficient route for me to go down. Although I've only had a very brief look at the ISO images available, I'd estimate that the entire collection would need at least 40-60GB of storage to keep it on.
      As I'm a domestic user who only needs the English language patches for 2-3 OSs; The overhead from other language and OS versions and the time/bandwidth/disk space involved to download it all would be in neither mine nor Microsoft's best interests.  
    2. Downloading the patches that I need from the Update Catalogue:
      This option is far more efficient considering the patches that I actually need versus the sheer volume of patches offered via the MSDN ISO downloads; As you rightly point out (And I verified with light testing earlier) the update catalogue would allow me to download all of the patches that I need as managable self-installing archives without also downloading data that I don't need and will never use.
      The only problem that I'm having so far with this approach is that I cannot seem to identify and isolate exactly the patches that I'm looking for (All security, stability and feature updates for WinXP alone) via that service...A search under "Update for Windows XP" returns a lot of irrelevant results (x64 versions, patches for Embedded/N/Beta versions, different language versions etc) that are a pain to navigate around, each search has a limit of 1,000 results, and the search engine is very basic for the service that it indexes - There's no facility to handle specific queries, and no apparent way to instruct the search engine to return results conforming to "Type: Security AND/OR Update, OS: Windows XP Pro AND/OR Home, Architecture: x86, Language: English" as I'd like to.  
    3. Copying patch files from $HF_MIG$ and installing manually:
      This was my original plan at first, as I would rather copy a patch update from a machine that had already downloaded it, check the signature, then load and run it my own PC - An approach that's quicker and more efficient than searching for and downloading the file again by hand. As I mentioned above though, this may well not work in practice because Windows uses dynamic updates...And the files required to update machine A may not necessarily be sufficient for updating machine B. On top of this, there's the fact that the $HF_MIG$ tree doesn't appear to contain all of the updates that have been applied to a machine, presumably because some (Like the Genuine Advantage patch) are deliberateley not saved and have to be downloaded on demand, and others are obsolesced by later patches which overwrite the earlier ones.
    At present, my most likely way forward will be to try downloading a collection of patches from the Windows Update Catalogue and keeping them archived on DVD for offline use as and when required. That said, searching through and selecting all of the updates I need without inadvertantly downloading something I don't is going to be a right pig to manage... :-|

     

    Thinking about where I find myself right now, there's a few things that I would find quite useful:

    • Good: A comprehensive list of all patches and security updates (Including KB numbers) that have been released since the original RTM version of Windows XP.
    • Better: A version of the patch archive ISOs referred to above that contain patches only for the English versions of Windows. Although this would include patches for Vista and VII (Neither of which I'm using at present) a complete patch archive for 2K, XP, and 2003 Server without the non-English patches that I don't need would make the "Download the ISO images" route a viable and justifiable one.
    • Best: A version of the patch archive ISOs as above, but containing only the patch history for Windows XP on it's own. That would allow me to use the archive to keep my XP systems properly up to date, whilst relying on service packs alone for 2K and 2K3 Server.
      (Because XP SP3 includes WGA - Which in turn requires an Internet connection to allow verification that Windows is genuine - I havn't been able to implement SP3 on any of my XP systems because my network is permanently offline, and WGA would immobilise all of my machines under such circumstances...Unless there is a Microsoft endorsed WGA-less version of SP3 knocking about that I could use insted.)
    Would any of the above happen to exist, and if so where might they be found? :-)

     

    Farewell for now, and many thanks again for your excellent help! >:-)
    +++ DieselDragon +++

    Addendum: Just to satisfy my curiosity, I've just gone to the trouble of totalling up the size of the update ISO repository, and it's even bigger than I'd initially thought. Up to and including the October 2010 update, it totals out at a whopping 69GB of updates! :-O
    Now only the Gods Themselves will know just how long that little lot'll take to download on this 5mbps DSL connection! :-O

    • Edited by DieselDragon Sunday, November 14, 2010 4:27 AM Inserted addendum regrding total size of Microsoft update archive
    Sunday, November 14, 2010 2:05 AM
  • Would any of the above happen to exist, and if so where might they be found?

    Nope, not that I know of.

    Your biggest hurdle IMHO is knowing which updates a particular computer "really needs" (i.e., critical security updates) and which it "should have" (i.e., Optional, non-security updates like KB951847, KB956250, KB982670). This is where Automatic Updates' (AU) detection logic wins hands down.

    If you're only dealing with a few boxes, you might consider setting AU to the "Notify Only" option [1] on each box and then let AU do the heavy lifting. Once AU has identified applicable updates for a given computer, you can then install them manually instead of letting AU do it. This comes in especially handy as you'll be dealing with scores of cumulative updates (e.g., KB2360131 includes everything in KB2183461 & earlier).

    ===============================
    [1] AU will notify of available updates (security-related & otherwise) but no updates will download or install without your approval.


    ~Robear Dyer (PA [as in Pennsylvania] Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    Sunday, November 14, 2010 4:27 PM
  • If your XP OS has SP3 installed, you can use Autopatcher to get all the updates. Save all the folder in which all your downloads have been made to disc or USB stick, then you can update your systems in one go from that.

    http://www.autopatcher.com/downloads/

    read the user guide

    <DieselDragon> wrote in message news:6413cc9a-bc48-4e9b-83cf-729c898adc7f@communitybridge.codeplex.com...

    'Ow do everyone! :-)
    I'm actually a domestic Windows customer (Running XP Professional mainly, with a couple of boxes running Home) but because of the nature of my query and the fact that I'm a long-term poweruser, I thought TN would be a more appropriate place for this post. :-)

    Anyhow...Due to recent lifestyle changes, I recently ceased to have a home Internet connection - And now my only option for obtaining updates for Windows and other software is to download them via a public or friend's computer, save them to disk, then take them home for application to my own network.
    At present; Two of my machines are patched up roughly as far as KB-2121546, which was the last patch released before I lost my connection. However - Looking at the updates list on the machine that I'm using here - I can see at least ten further updates (At least seven of which look critical) and with a few of my machines clagged-up and overdue on Windows reinstalls, I'd like to copy and archive a collection of these downloaded patches that could then be applied to my PCs again after reinstallation/without/ having to trawl through the MSDN download pages and download all 125+ patches manually! :-D

    Because of the nature of Windows security/stability patches (I'm referring to the patches automatically downloaded by UPDATE.EXE and installed by WINLOGON.EXE on shutdown) and the way they're rolled out, I'd find updating/much/ quicker and easier if I could simply copy these updates from a machine that had already downloaded/applied them for use as outlined above. However, I cannot seem to identify where in the Windows filesystem these downloaded patches are stored, and whether or not the patch is kept on the machine after update and not simply deleted.

    I've already had a trawl through the Windows trees on a few PCs and found a large number of hidden folders there (All conforming to*$NtUninstallKB* [...]*$* ) that look like they might be a likely candidate, but Windows denies access to those folders by default. Although I could probabally CACLS myself access via safe mode, I'd rather not try that on my friends computer from which I am making this post! :-)

    If someone could please tell me where UPDATE.EXE/WINLOGON.EXE normally store these downloaded patches, and any special procedures (Bar simply executing the patches in KB number order) required for installing them on my own offline computers, then I'd be/most/ greatful. :-)

    Farewell for now, and many thanks in advance for any help! >:-)
    *+++ DieselDragon +++*

    • Marked as answer by DieselDragon Wednesday, November 17, 2010 6:23 AM
    Sunday, November 14, 2010 5:03 PM
  • Consider this utility:

    http://download.wsusoffline.net/

    It will allow you to selectively download Windows and Office updates. It will even allow .iso compilation. I've only recently started using it, but I am very impressed.

    • Marked as answer by DieselDragon Wednesday, November 17, 2010 6:23 AM
    Monday, November 15, 2010 8:32 PM
  • Hi again! Sorry I've been gone for a bit! :-)

    Originally written by PA Bear :


    Nope, not that I know of.
    Your biggest hurdle IMHO is knowing which updates a particular computer "really needs" (i.e., critical security updates) and which it "should have" (i.e., Optional, non-security updates like KB951847, KB956250, KB982670). This is where Automatic Updates' (AU) detection logic wins hands down.

    Aye, that's certainly true...Although when it comes down to the question of whether or not a machine needs any specific update , I'd prefer to have a pool of all the updates to hand which could then be installed anyway. On any updates not relevant to the given machine (e.g: An x64 update being applied to an x86 version of the OS) the packager/updater should simply give a prompt explaining this fact, and quit without making any changes. :-)

    That's why I'd like to have access to a comprehensive archive of updates for XP...At the negligable risk of keeping a few tens of MB of data more than I might actually need in the end, it'd give me the assurance that I'd have a complete update library that could be used as desired.
    'Tis a pity that Microsoft have chosen to release the ISOs as updates for every language version of every current OS...Rather than having individual ISO images for each OS family, with each ISO containing every update for a specific language... :-|

    Originally written by PA Bear :


    If you're only dealing with a few boxes, you might consider setting AU to the "Notify Only" option [1] on each box and then let AU do the heavy lifting. Once AU has identified applicable updates for a given computer, you can then install them manually instead of letting AU do it. This comes in especially handy as you'll be dealing with scores of cumulative updates (e.g., KB2360131 includes everything in KB2183461 & earlier).

    If my network had an Internet connection which could be used for this purpose, then I'd still be relying on AU for all of my updates. However, the problem is that AU - However configured - Cannot work on my home network because I have no internet connection whatsoever = No way of checking or downloading the updates! :-D
    With a bit of reading up, I could always set up an NT server to act as a local Windows Update server...But that would still require my having all of the patch files stored on the network anyway. Locally spoofing Windows Update would therefore be pointless, given that I could just run the update collection from DVD-R or a network share! :-)

    Originally written by J. Rosenfeld :


    If your XP OS has SP3 installed...

    None of my home machines have SP3 itself installed. Because I have no Internet connection, the WGA client bundled with SP3 would "kill" all of my machines (Despite them having legitimate Windows on them) because there's no way for WGA to check my Windows installs with Microsoft's servers. I could try spoofing the WGA request/response cycle locally to work around this problem, but I strongly suspect that - Despite it's legitimate intentions - Such a workaround would be in breach of the Microsoft EULA. :-|

    Originally written by J. Rosenfeld :


    If your XP OS has SP3 installed, you can use Autopatcher to get all the updates. [...]
    http://www.autopatcher.com/downloads/ - Read the user guide.

    Originally written by Famous Ray :


    Consider this utility:
    http://download.wsusoffline.net/
    It will allow you to selectively download Windows and Office updates.

    Cheers for the software suggestions, guys! :-)

    Talking of software downloaders though, I came across JCarle's Windows Updates Downloader the other day and decided - Given it's freeware licence and community driven nature - To give it a go. Although it requires a seperate update list to work (These are also hosted on the site) I found that this program was extremely reliable and easy to use, and it downloaded the raw installer binaries to disk (It didn't attempt to repackage the patches, strip out bits irrelevant to the OS in use, or whatever) which is pretty much what I wanted in the first place. On top of that I've also found that W.U.D can easily be adapted for my own purposes using custom update lists, which for me is an added bonus. :-)

    At time of posting, I now have an archive of updates for XP running from the release of SP2 to now (That's about 240 updates, plus the two service packs) which should hopefully be complete and suitable for the use that I have in mind for them. Admittedly I spent hours updating my patch file by hand to include updates released since March (Using the AU history and installed patches on this PC as a guide) but I think that I might have it all. The only challenge now is that at some point I'll have to do the same thing for updates for Windows 2000 and Windows Server 2003, as well! :-O

    Farewell for now, and thanks once again for all the help! If anyone can tell me where I might be able to find a comprehensive list of updates for Windows XP/2K0/2K3 (From MSDN channels or the patch update URL that AU calls to check for new patches, maybe?) then I'd be most greatful, as stated above! >:-)
    +++ DieselDragon +++

    Wednesday, November 17, 2010 6:22 AM
  • None of my home machines have SP3 itself installed...


    Support for WinXP SP2 ended on 13 July 2010. Computers running WinXP SP2 "will no longer receive software updates from Windows Update" [i.e., updates released on & after 02 August 2010 so you're now over three months behind!] until SP3 has been installed.  Extended Support for WinXP SP3 will continue through 08 April 2014.

        • What does it mean if my version of Windows is no longer supported?
           http://windows.microsoft.com/en-us/windows/help/what-does-end-of-support-mean

    Please note that you also will NOT be able to manually install any updates released on or after 02 August 2010 unless WinXP SP3 has been installed but you can install SP3 manually.

        • HOW TO get a computer running WinXP SP2 fully patched
           http://groups.google.com/group/microsoft.public.windowsxp.general/msg/a066ae41add7dd2b


    ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft
    Wednesday, November 17, 2010 6:56 AM