Post-HFSLIP Win 2000 Pro: Installing future Security Updates

[Timber]

I used HFSLIP for Windows 2000 Professional SP4 and the associated security updates about one and a half years ago (in July 2008) and I have been really happy with the results. A lot of people have contributed their efforts here to help make things run really smoothly, for which I am very grateful and I thank you!!!

Now, however, I have a dilemma. I have a ton of programs installed and am happy with the status of my O/S. I would prefer just to install all of the security patches that have come up in the last one and a half years manually, instead of creating a new HFSLIPed CD and starting my O/S installation from scratch.

So, I'm endeavouring to use TommyP's "green list" as my reference point for grabbing all of the necessary security updates that have come up between the time of my HFSLIP and now.

I've used a list of all of the KB values which appear in the following area of the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\

I've compared those KB values against the KB values in TommyP's green list.

Overall, I'm able to see most of the gaps in what I have installed and what's on TommyP's green list, but I do have a few questions that I hope you can help me to answer.

1. Should I be trying to install security updates in any kind of order, say, based on the oldest date first? Perhaps, instead, I can safely install them in any order, with the assumption that no update will contain a duplicate file and that even if different updates do contain duplicate files, an older version will not overwrite a newer version of said file during the installation process?

2. Is there possibly going to be a problem if I install a security update twice? If not, I'd rather be safer than sorry in a few cases where I am uncertain if I included the security update when I made the HFSLIP installation, and just try to re-install in case I didn't install an update in the first place. Should I expect any particular error messages when installing an update twice or would most updates simply just install over themselves without issue?

3.In terms of MSXML, it appears that I have the following dlls under my \WINNT\System32\ directory with "msxml" in their name:

msxml.dll

msxml3.dll

msxml3a.dll

msxml3r.dll

msxml4.dll

msxml4r.dll

msxmlr.dll

I am going to assume that I therefore have MSXML 4 installed and not MSXML 6 installed, and will thus grab the msxml4-KB954430-enu.exe (MSXML4) update but not the msxml6-KB954459-enu-x86.exe (MSXML6) update.

However, I don't see any msxml dll entries with the number "2" in them. Does that mean I do not need the msxml2sp6-kb887606-x86-enu.exe (MSXML2) update or should I install that one, too?

Note that if it helps to know, my original source was Windows 2000 Professional without any Service Packs, to which I manually slip-streamed SP4. I used the manually slip-streamed SP4 set of files in my HFSLIP SOURCE directory.

4. In my HFSLIP, I went with Windows Media Player 6.4 instead of Windows Media Player 9. However, I also chose to install the Windows Media Player 9/10 Codec package.

It appears that I have also installed one of the WM9/10 Codec updates, WindowsMedia-KB911564-x86-ENU.exe. Can I safely assume that I need to install all of the updates listed as entries on TommyP's green list with a "Notes" value of "WM9/10 Codecs"? Am I likely to run into problems with manually installing some or any of these updates by sticking with Windows Media Player 6.4?

For example, just looking at the KB article for one of those security updates:

http://support.microsoft.com/kb/941569

I get a little bit leery by reading the following text:

=====

MS07-068: Vulnerability in Windows Media file format could allow remote code execution

Known issues with this security update

Consider the following scenario. You install security update MS07-068 on a computer that is running the following items:

* Microsoft Windows 2000 with Service Pack 4

* Windows Media Player version 7.1 or an earlier version of Windows Media Player

In this scenario, Windows Media Player might no longer correctly play some media files. For example, Windows Media Player might not play .mp3 files correctly.

=====

The other oddity is that the "APPLIES TO" section of the kb article only lists "Microsoft Windows 2000 Advanced Server SP4" and "Microsoft Windows 2000 Datacenter Server" for Windows 2000 versions, without a mention of Windows 2000 Professional.

So, does one or both of those oddities mean that I should not install that update?

5. I was thinking of using the "/norestart" switch when executing the security updates from a command line, and perhaps manually rebooting after every 10 or so updates get installed. Does that plan sound good?

6. Do you have any other tips or caveats for installing these security updates manually?

7. Is there any easy way to install a more recent HFSLIPed version of the same O/S with more recent security updates integrated overtop of my existing installation without wiping out the records of my installed programs and other settings? For example, is there some sort of "repair" option for a bootable O/S CD that automatically updates the O/S with all of the newer security updates from the HFSLIPed CD while maintaining everything else in the Windows Registry and elsewhere (registered dlls, etc) that aren't directly affected? I guess I'm probably just dreaming here, aren't I?

[tommyp]

I'll try to tackle this stuff, but I'm not a msft expert. These aren't really HFSLIP questions btw.

1. If installing manually, there is no order. Newer binaries will overwrite old ones. However, if you install IE6 after the fact, you'll have all the IE6 hotfixes to install.

2. There is not prob with installing hotfixes twice. No change to your OS will happen.

3. You're on your own with msxml. There's several types of msxml. For hfslip to work, you need the msxml hotfixes listed. I suppose you can just install them manually, but no guarantees.

4. If you are installing wmp codecs, you need the codec hotfixes that are listed on the hotfix page.

5. It does not matter. You can install everything and then reboot when done.

6. It will be easier to burn a new image than installing all the hotfixes manually.

7. You are on your own with how to install windows. Ask that one in the right forum.

[Timber]

Thank you for your responses! You answers have been quite helpful!

6. It will be easier to burn a new image than installing all the hotfixes manually.

I would indeed prefer to use HFSLIP to create an up-to-date image (I'm assuming you mean an ISO file when you say image) and install that, presumably from a bootable CD, than to have to manually apply a bunch of patches.

Would installing the O/S again from CD format my root partition or there is there some way of extracting or applying patches from an ISO (whether burned to a CD or extracted directly from the hard drive) without wiping out my O/S partition's data?

Yes, you are right, my questions are not HFSLIP-specific, but I believe that they are related in that am trying to figure out if I can use the HFSLIP route without having to reformat my O/S partition (or even get an opinion that says it is worth it to reformat an install the latest HFSLIP compared to manually installing patches, if that is what someone believes). Anyway, I'll try and poke around the other forums to see what answers I can dig up, as you suggest. Thanks once again!

[tommyp]

I suppose you could extract each relevant hotfix, compile the appropriate INF files for each hotfix, boot via a bartcd, copy the binaries to their home, reboot to the real machine, apply the INF files and you'll be good to go. Too much work. It's easier double clicking each hotfix. When done, go to your windows folder and delete all the hidden hotfix uninstaller folder. Visit the hfslip.org website for a tool called hfnetchk. It's a small batch file that will tell you what hotfixes need to be applied. It's easier doing that than using WU.