Dave-H

I looked at the article, and then remembered that I had been there before. Unfortunately the "certutil" program does not exist in XP, so I didn't pursue the fix at that time, and the "fix-it" links just go the MS homepage. This time I was more persistent, and I found that the "certutil" program can be added to XP by installing the Server 2003 Admin Pack. This I did, and ran the command, and cleaned the folders specified. On reboot, a lovely set of crypt32 updates in my Application log, with no errors! So, fingers crossed it's finally fixed!

Thanks, I'm not sure whether I've been to that article before or not, but I'll certainly check it out. I'm working in Windows 10 at the moment!

I'm still getting the huge numbers of error messages in my Windows Application log - "Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file." They seem to be coming regularly every seven days. Is there no way of stopping this? It's not related to @heinoganda's updater, or to HTTPSProxy, as it's now happening on my netbook too, which has never had either of them installed or run on it, or any other modification knowingly made to its certificate structure. Presumably this isn't happening for everyone, or there would be far more reports of it, so why is it happening to me?!

I've always copied the latest version of jfxwebkit.dll over along with all the other files. I've not seen any resulting issues, but I probably don't have anything that uses it anyway.

I just use search and replace on my registry editor!

I assume it's to stop any auto-update routine from still nagging you to update when you already have the latest files. Personally I've always re-named the folder to reflect the new version, rather than leave it as jre1.8.0_152, but if you do that you will need to reflect that in the registry entries of course, and manually edit the "deployment.properties" file in the "D:\Users\{username}\Application Data\Sun\Java\Deployment" folder to get the path right again. Neater for me, but I have terrible OCD about that sort of thing!

@glnz Why have you got Malwarebytes and Avast installed? I would never have more than one internet security/anti-virus program installed as they would be almost certain to conflict with each other at some point. As I said before, if a Microsoft Update scan comes up with no updates needed, and everything in Windows Explorer works fine, you must be OK with them.

I have noticed that the registry data for some XP updates does imply that they are part of SP4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP4 I guess MS did at one time intend to release an official SP4 but never did.

When I installed @heinoganda's KB4018556-v2, I was then prompted by MS Update to reinstall KB4018556 (which I had already installed). I think this may have been an issue with the first version of Heinoganda's patch, which has now been corrected. If you weren't prompted to install KB4018556 again after you installed KB4018556-v2, I wouldn't worry about it!

If Microsoft Update says you're fully patched with up to date patches, and everything in Windows Explorer is working as it should be, I don't see any reason to uninstall any of them. In your position I would completely uninstall Malwarebytes and see if the system is then stable, with no BSODs or freezes. If it is, then try reinstalling it.

I use a driver "TCP Half Open Limited Patcher (TCP-Z)" to provide the same function. It's from someone called "deepxw". It's also still working fine.

@FranceBB If @pixelsearch2's system is XP, rather than POSReady, there's obviously no point in him reporting this to Microsoft. What's needed is for as many people as possible with genuine licensed actual POSReady systems to report it, as MS are actually shipping a buggy update (three times!) to a still supported operating system!

The only satisfactory answer at the moment to this is to message @heinoganda who can provide a modified KB4134651-v2 patch which contains all the latest files except for oleaut32.dll, which will be the last properly working version. As far as we know, this does not have any security implications.

The issues are not immediately obvious. If you look at the properties of a shortcut and select the "Find Target" button, does it work? It not working is one of the symptoms of the bug(s) in the recent versions of oleaut32.dll.

Thanks, all now installed and working fine!

Thanks for the heads up! Will you be providing us with a workaround for this again?

Hear, hear!

Thanks!

The last "!", the name mismatch, you can get rid of by going to Control Panel>Internet Options>Advanced>Security and unticking "Warn about certificate address mismatch".

Yes, I've been having problems with the e-mail notifications ever since the recent server crash. I'm getting some again now, but I'm still not convinced that it's working as it should. I've had a few e-mails about posts from a couple of days previously, which should have come through straight away of course.

Are you saying that certificates should never be manually deleted from the lists in the Internet Options>Content tab? Sorry I'd forgotten about the delroots.sst you gave me, but I have still got it saved! No more errors as yet, but if they return I'll try the procedures again.

Ah thanks, I was wrong about the registry entries in that case. I just assumed because the options were already ticked when I added them to the interface that the options were already enabled. Obviously not! The wrong security certificates picked up by howsmyssl.com are mentioned in the thread here. I don't think they're anything to worry about, but somebody said they had deleted them with no dire consequences! What are the errors you're seeing? Are they name mismatches?

If I understand things correctly, you don't have to add the registry entries to enable TLS 1.2 in IE8, it's already enabled by the updates. The registry entries just add tick boxes to the Internet Options interface to allow you to disable it if you want to for any reason. howsmyssl.com will confirm whether it's enabled or not.

I was impressed this morning when I had an e-mail from PayPal saying that they would be blocking browsers they consider insecure very soon, that when I tried their test on IE8, it now said it was fine, without HTTPSProxy enabled!

Thanks, I did actually try most of that yesterday, including toggling off and on all the settings I need on and re-saving every change, and this morning I found that some e-mails had come though. Again some were for posts which had been made a couple of days ago, so it looks like they were delayed for some reason. I'll see how it goes now.