Explorer09

Blame Microsoft. This is their fault for downgrading "updroots.exe". The December 2012 roots certificate update does not have this problem.

A quick summary of the Patch Tuesday this month (May 2013): Windows XP 2820197 | advisory | activex killbit | 38863 | replaces 2736233 2829361 | ms13-046 | win32k.sys | 38995 | replaces 2808735 2829530 | ms13-037 | IE | IE6:38876 IE8:38941 | replace 2817183 2847204 | ms13-038 | mshtml.dll (IE8 only) | 39031 | none MSRT 4.20.7401.0 Flash Player 11.7.700.202 (APSB13-14) Office 2003 2810046 | ms13-043 | Word (2003 only) | 39012 | replaces 2760497 2810047 | ms13-042 | Publisher 2003 | 39004 | replaces 2553084 2817360 | outlfltr 2003 | 39000

Hi Acheron. In my first post, I was not saying that I have problems integrating KB961118. I was saying that KB961118 shouldn't be integrated without .NET 3.5. Of course you can fix HFSLIP to support integrating ntprint.cat, but I think you shouldn't. HFSLIP does not integrate .NET 3.5, and without .NET, integrating KB961118 will be meaningless and might bring you problems. I would rather suggest installing KB961118 manually.

@ rulman: I apologize if you (rulman) get offended because of this. I didn't mean any offense when I corrected your English.

To save Kurt_Aust's time updating his list, April 2013 Patch Tuesday Windows XP x64 KB number | Bulletin | Patched component | Download page ID | Replacement KB2817183-x64 | MS13-028 | IE | 38364 38373 | Replaces KB2809289 (MS13-021) and KB2797052 (MS13-010) KB2813345-x64 | MS13-029 | mstscax (rdp6.1) | 38266 | No replacement KB2813170-x64 | MS13-031 | Kernel | 38308 | Replaces KB2799494 (MS13-017) KB2820917-x64 | MS13-033 | csrss (winsrv.dll) | 38279 | Replaces KB2646524 KB2808735-x64 | MS13-036 | win32k.sys | 38243 | Replaces KB2778344 KB890830-x64 | | MSRT 4.19.7304.0 | 9905 | Old MSRT Flash Player 11.7.700.169 | APSB13-11 | | Direct link EDIT: Fix typo. It's KB2808735 not KB2828735.

Please use the right grammar tense of the verbs. Or your meaning will be reversed. For example 2809289 is replaced by 2817183 not "2809289 replaces 2817183". Also, I correct a few errors: 2801109 (Active Directory Application Mode) is not part of stock XP, so you don't need to install it unless you installed ADAM for some reason. 2772930 is not needed for Windows XP. (MS doesn't offer the update for XP.) EDIT: Here's one more. KB2797052 (vgx.dll) is also replaced by KB2817183 (IE security update). For people who are confused, here is a summary: April 2013 Patch Tuesday Windows XP KB number | Bulletin | Patched component | Download page ID | Replacement KB2817183 | MS13-028 | IE | 38293 38347 | Replaces KB2809289 (MS13-021) and KB2797052 (MS13-010) KB2813345 | MS13-029 | mstscax (RDC6.1) | 38315 | No replacement KB2813347 | MS13-029 | mstsc (RDC7.0) | 38281 | Replaces KB2483614 (MS11-017) KB2813170 | MS13-031 | Kernel | 38303 | Replaces KB2799494 (MS13-017) KB2820917 | MS13-033 | csrss (winsrv.dll) | 38299 | Replaces KB2646524 (MS12-003) KB2808735 | MS13-036 | win32k.sys | 38255 | Replaces KB2778344 (MS13-016) KB890830 | | MSRT 4.19.7304.0 | 16 | Old MSRT Flash Player 11.7.700.169 | APSB13-11 | | Direct link Office 2003 KB2810049 | | outlfltr | 38371 | Old junk email filter update

And here's one more: KB2768025 | | outlfltr | 36962 | replaces KB2760754 Office 2003 junk email filter update.

I agree. KB2264107 should be optional because the update only introduces the "CWDIllegalInDllSearch" registry switch for those who want it. By the way, there is one update for Office 2003 this month (February 2013), the Junk Email Filter update KB2767887. Mino should update this to his list.

I have some Microsoft games that use MSXML4. I can name an example: Age of Empires 3.

Yes it is in the standard XP install. You can verify this by yourself. Look in the directory "C:\WINDOWS\system32" and see the file msxml6.dll. The file version should be 6.20.2502.0 after you install KB2757638. (If it is 6.20.2501.0, then you have KB2719985 installed but not KB2757638)

jduk does make sense, although I don't like this. His application is at the gray area of nLite's EULA, and I believe there's a better way to achieve this. What jduk wants is to deploy several remote headless machines with nLited OS, and (at the time) he cannot physically access the machines. So he want as little work as possible for his "family members" who helps him. By "as little work as possible" he means to just put the CD, turn on the computer, and then wait until the installation finishes and reboots. Do I explain this right?

Kurt_Aust has answered this: You should already have known why I asked this question. Yes I don't use .NET 4.0, that's why.

As this section does not have any entry in [DefaultInstall]. When I told to Read the Manual, I really mean it. The URL I gave to you have described very well about what is the .security section.

If you write this way you'll modify a registry value entry. What I want is to set the permissions of a registry key, not to modify a value entry. You should read some documents about the INF file, such as this: INF AddReg Directive (Windows Drivers)

It's available now: http://technet.microsoft.com/en-us/security/Bulletin/MS13-008 KB2794220 | MS13-008 | IE (mshtml.dll) | IE6:36401 IE8:36418 | This update is not cumulative, so it might be replaced by a cumulative update in the future.

Wait a minute, Kurt_Aust, which updates replace KB982524? I didn't get it. My data shows that there are a few files in KB982524 that are not replaced.

Darn Microsoft. They should have merged these three updates together, so I can save my time and disk space. Files (GDR branch) | KB977354-v2 | KB2604110 | KB2656407 | ----------------------------+---------------+---------------+---------------+ PresentationCore.dll | 3.0.6920.4016 | 3.0.6920.4021 | 3.0.6920.4021 | PresentationFramework.dll | 3.0.6920.4016 | 3.0.6920.4021 | 3.0.6920.4021 | PresentationHost.exe | 4.0.40305.0 | (no) | (no) | PresentationHostDLL.dll | 3.0.6920.4016 | 3.0.6920.4021 | 3.0.6920.4021 | PresentationHostProxy.dll | 4.0.31106.0 | (no) | (no) | ReachFramework.dll | (no) | (no) | 3.0.6920.4021 | System.Printing.dll | (no) | (no) | 3.0.6920.4021 | WindowsBase.dll | 3.0.6920.4016 | 3.0.6920.4021 | 3.0.6920.4021 | XPSViewer.exe | (no) | 3.0.6920.4021 | (no) | | | Files (LDR branch) | KB977354-v2 | KB2604110 | KB2656407 | ----------------------------+---------------+---------------+---------------+ PresentationCore.dll | 3.0.6920.4030 | 3.0.6920.5810 | 3.0.6920.5810 | PresentationFramework.dll | 3.0.6920.4030 | 3.0.6920.5810 | 3.0.6920.5810 | PresentationHost.exe | 4.0.40305.0 | (no) | (no) | PresentationHostDLL.dll | 3.0.6920.4030 | 3.0.6920.5810 | 3.0.6920.5810 | PresentationHostProxy.dll | 4.0.31106.0 | (no) | (no) | ReachFramework.dll | (no) | (no) | 3.0.6920.5810 | System.Printing.dll | (no) | (no) | 3.0.6920.5810 | WindowsBase.dll | 3.0.6920.4030 | 3.0.6920.5810 | 3.0.6920.5810 | XPSViewer.exe | (no) | 3.0.6920.5810 | (no) |

January 2013 Patch Tuesday Windows XP x64 KB2757638-x64 | MS13-002 | msxml | 36258 | Replaces KB2719985 APSB13-01 | Flash Player 11.5.502.146 | (a.k.a. KB2796096 in IE10) .NET Framework 2.0 (I don't check .NET 1.1 and 4.0, sorry.) KB2742596 | MS13-004 | .net 2.0 | 36275 | Replaces many updates. See below. .NET Framework 3.5 KB2756918 | MS13-004 | .net 3.0 | 36368 | See below. KB2736416 | MS13-007 | .net 3.5 | 36300 | Replaces KB982306 Note: There are many old updates replaced by updates in MS13-004 bulletin. It would be tiring for me to check every update in it, so I checked only what I needed. KB2686828 replaced by KB2742596 KB2656369 replaced by KB2742596 KB2604092 replaced by KB2729450 + KB2742596 together KB979909 replaced by KB2742596 KB982306 replaced by KB2736416 KB982168 replaced by KB2756918 + KB2656352 + KB2539631 together. (KB982168 is a rollup update that consist of KB976769, KB976765, and KB980773. All of them are replaced. However Microsoft do not mention the replacement. I guess it's because KB2756918 is technically not a security update.) EDIT (2013-01-11): Add note that KB982306 and KB982168 are replaced.

Windows XP KB2757638 | MS13-002 | msxml | 36306 | Doesn't replace KB2719985 KB2758694 | MS13-002 | msxml4 (optional component) | 36292 | Replaces KB2721691 APSB13-01 | Flash Player 11.5.502.146 | (a.k.a. KB2796096 in IE10) Office 2003 KB2760574 | MS13-002 | msxml | 36361 | Replaces KB2687627 KB2760754 | not security | outlfltr | 36353 | Replaces KB2760582 And I've updated your 'todo' list for the Office 2003 updates: Minus sign means 'to be removed'; plus sign means 'to add this update'. -2597086 (replaced by 2687481, 2012-Nov) -2598361 (replaced by 2687626*, 2012-Nov) -2687323 (replaced by 2726929*, 2012-Dec) -2687324 (replaced by 2760574, 2013-Jan) -2687403 (replaced by 2760754, 2013-Jan) -2687483 (replaced by 2760497, 2012-Dec) +2687481 +2687626 +2726929 +2760497 +2760574 +2760754

Thanks to tomasz86 and the reference here, I made it working now: INF AddReg Directive (Windows Drivers) I forgot that it is possible to set the registry permissions by just using the AddReg directive in the INF file. So here it is. Copy the code below, save it as an INF file, and use it as an HFSLIP addon: [Version] Signature="$Windows NT$" [DefaultInstall] AddReg=SmartCards.Add.Reg [SmartCards.Add.Reg] HKLM,"SOFTWARE\Microsoft\Cryptography\Calais\SmartCards" ; For x64 please uncomment the line below: ; HKLM,"SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards" [SmartCards.Add.Reg.security] "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)"

In KB909520 (Base Smart Card Cryptographic Service Provider update), there's a section in the update_winxp.inf that sets the permission of a registry key. [SecurityRegistryAfterInstall] "MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)" ; x64 have this additional line: ; "MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards",2,"D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)" Because I observed what permissions have changed, I can briefly explain what this string does: "D:P(A;CI;GR;;;LS)(A;CI;GR;;;BU)(A;CI;GR;;;PU)(A;CI;GA;;;BA)(A;CI;GA;;;SY)(A;CI;GA;;;CO)" Allow Read permission on 'LOCAL SERVICE' Allow Read permission on 'Users' Allow Read permission on 'Power Users' Allow Full Control permission on 'Administrators' Allow Full Control permission on 'SYSTEM' Allow Full Control permission on 'CREATOR OWNER' (EDIT: The string format is Security Descriptor Definition Language. For people who want to learn more, read this and this.) Now here is my question: How do I integrate this permission change? (EDIT: Some people have confused about what I was asking, so let me say it again: I want to set the permissions of a registry key, not to modify a value entry.) HFSLIP doesn't do anything about this, so in the slipstreamed Windows the key "HKLM\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards" retains the original permission (that is, "inherit from the parent keys"). I didn't test this on nLite though. Because I'm trying to integrate KB909520 without nLite or HFSLIP, I'm confused about what to do with this. I accept any method (batch scripts, INF file, etc.) as long as I don't have to put the entire "Windows-KB909520-v1.000-x86-ENU.exe" into my disc. Is that possble, and how? Thank you. Explorer09

Hey Mimo, are you going to update your Office 2003 file-checker soon? I've updated my last post, so you can save your time checking the Microsoft Update: More compact version: Minus sign means 'to be removed'; plus sign means 'to add this update'. -2597086 (replaced by 2687481, 2012-Nov) -2598361 (replaced by 2687626*, 2012-Nov) -2687323 (replaced by 2726929*, 2012-Dec) -2687324 (replaced by 2760574, 2013-Jan) -2687403 (replaced by 2760754, 2013-Jan) -2687483 (replaced by 2760497, 2012-Dec) +2687481 +2687626 +2726929 +2760497 +2760574 +2760754 EDIT: updated for January 2013 Patch Tuesday.

Thanks for your correction.

In case someone likes to keep this thing updated: December 2012 Patch Tuesday Windows XP x64 KB2761465-x64 | MS12-077 | IE | IE6:36002 IE8:35864 | replaces KB2744842 in MS12-063 KB2753842-x64 | MS12-078 | Atmfd.dll | 35937 | replaces KB2507618 in MS11-032 KB2779030-x64 | MS12-078 | Win32k.sys | 35919 | replaces KB2761226 in MS12-075 KB2758857-x64 | MS12-081 | Kernel32.dll | 35918 | (KB2758857 + KB968389 together replace KB959426) KB2770660-x64 | MS12-082 | DirectPlay (Dpnet.dll) | 35893 | None KB2779562-x64 | non-security | timezones | 35797 | replaces KB2756822 KB2748349-x64 | non-security | Volume Shadow Copy (volsnap.sys) | 35860 | None KB890830 | MSRT 4.15.6902.0 | 9905 APSB12-27 | Flash Player 11.5.502.135 | (also known as KB2785605 or advisory 2755801 in IE10) EDIT: Add a note that KB2758857 + KB968389 together replace KB959426. Thanks to -X- for correction. EDIT2: Add a high-priority update KB2748349, which appears on my Windows Update.

So, the November root certificates update is just a test release, isn't it? Anyway. I've prepared the list: (sorry for repeating what other people say) December 2012 Patch Tuesday Windows XP KB2761465 | MS12-077 | IE | IE6:35934 IE8:35962 | replaces KB2744842 in MS12-063 KB2753842 | MS12-078 | Atmfd.dll | 35845 | replaces KB2507618 in MS11-032 KB2779030 | MS12-078 | Win32k.sys | 35863 | replaces KB2761226 in MS12-075 KB2758857 | MS12-081 | Kernel32.dll | 35926 | (KB2758857 + KB968389 together replace KB959426) KB2770660 | MS12-082 | DirectPlay (Dpnet.dll) | 35872 | None KB931125 | Root Certificate update 37.0.2195.0 | 35945 KB890830 | MSRT 4.15.6902.0 | 16 APSB12-27 | Flash Player 11.5.502.135 | (also known as KB2785605 or advisory 2755801 in IE10) Office 2003 KB2760497 | MS12-079 | Word | 35997 | replaces KB2687483 in MS12-064 KB2726929 | MS12-060 | Mscomctl.ocx | 36010 | replaces KB2687323 in the same bulletin (*) KB2687627 | MS12-043 | Msxml5 | 35988 | replaces KB2687324 in the same bulletin (*) KB2760582 | non-security | outlfltr | 36008 EDIT: And don't forget these: KB2687481 | MS12-076 | Excel | 35715 | replaces KB2597086 KB2687626 | MS12-046 | Vbe6.dll | 35717 | replaces KB2598361 in the same bulletin (*) Mimo didn't update the Office 2003 update list in November. * : KB2726929 should be identical to KB2687323 but MS renewed the certificate inside the update. See Advisory 2749655. KB2687627 should be identical to KB2687324 but MS renewed the certificate inside the update. KB2687626 should be identical to KB2598361 but MS renewed the certificate inside the update. I don't know why MS don't call them KB2687323v2, KB2687324v2, or KB2598361v2 respectively. EDIT2: Yes, -X- is right. KB2758857 + KB968389 together replace KB959426. (I just forgot the secur32.dll in KB968389) EDIT3: Add KB2687627, KB2687626. I missed these two updates before I check Windows Update.