Jump to content

Server 2008 Updates on Windows Vista

Jody Thornton

Recommended Posts

6 hours ago, VistaLover said:

I had to install recently the standalone KB4474419v4 file to enable SHA-2 code signing support in my SP2 system; I can, too,  confirm it comes with raising the build number to 6003:

I'm guessing your reason was related to definition updates for Vista's ancient Windows Defender. Are you able to install the latest definitions for Defender with KB4474419 v4 installed?

Link to comment
Share on other sites

17 hours ago, Vistapocalypse said:

I'm guessing your reason was related to definition updates for Vista's ancient Windows Defender.

You win! :cheerleader:

17 hours ago, Vistapocalypse said:

Are you able to install the latest definitions for Defender with KB4474419 v4 installed?

I sure am :cheerleader:; I was planning to post a detailed new article in the Vista forum (when my spare time permitted), but since you couldn't wait, I didn't want to come off as giving you the cold shoulder...


FTR, the setup file itself (mpas-fe.exe) used to be (until and including Sun Oct 20th) dual signed (both SHA1 & SHA2 digest algorithms); that file is comprised by four other files:


mpas-fe.exe v1.303.1946.0 released on Fri Oct 18th was the last one to be itself and all of its constituents dual signed - engine version in that file was 1.1.16400.2 (as said, dual signed); this was the last version of mpas-fe.exe (and, of course, mpam-fe.exe for MSE) installable on a Vista SP2 OS without SHA2 code-signing support present!

Later that day (in my timezone), new version 1.305.17.0 was released (might've been another 1.305.x.x version I missed prior to that :(); while file mpas-fe.exe was still at the time dual-signed (but I could only see the SHA1 sig then), to my great dismay I discovered that running the file would not update my WD defs :realmad:; to cut a long story short, and after at least an hour of troubleshooting (which included dependency walker, as I was misled by what M$ did to the XP users of MSE/WD), I realised that

1. The 1.305.x.x series introduced a new engine version, v1.1.16500.1
2. While I could see SHA1 sigs for files mpas-fe.exe, MpSigStub.exe, mpasbase.vdm, mpasdlta.vdm, I couldn't for the engine DLL file, mpengine.dll, so I assumed it was only SHA2 signed.

In the past, I wasn't that worried about files only signed with SHA2, other than the fact I couldn't be 100% sure the file hadn't been tampered with... For executables, a prior update, KB2763674 , made it possible to run them (although, in retrospect, not a clever thing to do if one is unable to verify EXE's signature...). 

But in the case of WD (and MSE), the anti-malware application has to verify (via the OS) the updated engine and definitions files (contained in the downloaded mpas-fe.exe setup) for it to load them; not being able to verify mpengine.dll, WD remained stuck at defs v1.303.1946.0 (with engine v1.1.16400.2) :(

Since I was not running Avast, I decided to install (latest) SHA2 code-signing support in my OS and retry with the 1.305.x.x mpas-fe.exe files; it WORKED! :thumbup

It wasn't until sometime during Sun, Oct 20th, that M$ posted some relevant details in their now "rebranded" Security intelligence page: 


Note: Starting on Monday October 21, 2019, the Security intelligence update packages will be SHA2 signed.
Please make sure you have the necessary update installed to support SHA2 signing, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

Intelligence my... behind (!) :realmad: ; make no mistake - you read right: they had already broken mpas-fe.exe on Vista SP2 since the evening (UTC+0300) of Fri 18th... :angry:

FWIW, latest (1.305.941.0) mpas-fe.exe file is itself only SHA2 signed, files MpSigStub.exe + mpasbase.vdm are dual-signed and files mpengine.dll + mpasdlta.vdm only SHA2 signed (i.e. still a mess! :angry: )

It isn't I have blind faith in WD's efficacy these days, I have a paid-for full Internet Security Suite (Kaspersky) as my line of defence, WD is kept going for "legacy" reasons; KIS doesn't object to WD being enabled, nor did it manifest any adverse symptoms after the update to Vista 6003.

Windows Update is busted in this machine since the first week of July 2019 (still at build .6002 then), when M$ reconfigured things; in any case, only WD (delta) definition updates were coming via WU until that time (I don't have M$ Office 2010); and, as expected, even after installing both KB4474419-v4 and KB4517134 (latest SSU for WS2008SP2), I still have to manually update WD... :angry:

Regards :)

Edited by VistaLover
  • Upvote 1
Link to comment
Share on other sites

  • 2 weeks later...

I guess it's again time for the monthly batch of updates.

KB4526478 - Servicing Stack Update for Windows Server 2008 - 32-bit | 64-bit

KB4525106 - Cumulative Security Update for Internet Explorer 9 - 32-bit | 64-bit

KB4525234 - Security Monthly Quality Rollup for Windows Server 2008 - 32-bit | 64-bit

KB4525239 - Security Only Quality Update for Windows Server 2008 - 32-bit | 64-bit

Optional updates:

KB4528081 - Update for Windows Server 2008 - 64-bit (apparently this update lets Server 2008 machines get updates after Jan. 2020 but it's only available in the 64-bit flavor for some reason)


And that's it for November updates for now, but I'm pretty sure another timezone update will be released in a couple days so will try to add it to this list as soon as it's out.

  • Like 2
  • Upvote 1
Link to comment
Share on other sites

  • 1 month later...

It's been a long time, but I finally managed to update the repository:

  • Replaced Monthly Rollup with the new KB4530695 (located on the root directory of the repository)
  • Added Security Only Updates, KB4516051, KB4520009, KB4525239 and KB4530719 (located in the folder "/Security Only (Post August 2018)")
  • Added Servicing Stack Update KB4531787 (located on the root directory of the repository)
  • Replaced Internet Explorer Cumulative Update with KB4530677 (located in the folder "/Security Only (Post August 2018)")
  • Updated SHA2 update KB4474419 to v4 (located in the folder "/SHA2")
  • Replaced .NET Security and Quality Rollups:
    • KB4507003 for .NET Framework 2.0 and 3.0 (located in "/NET 2.0 SP2/Security and Quality Rollup");
    • KB4507001 for .NET Framework 4.5 (located in "/NET 4.5.2/Security and Quality Rollup");
    • KB4533012 for .NET Framework 4.6 (located in "/NET 4.6-4.6.1/Security and Quality Rollup").
  • Updated the TLS 1.1 and 1.2 enabling reg file to include x64 (located in "/Extras")

I hope I didn't miss any updates. This should cover the 4 months of updates missing. I think all of these updates require SHA2 support, so be sure to first install the Servicing Stack and SHA2 updates found in the "SHA2" folder. After Server 2008's EOL there might be a chance to use Extended Security updates on Vista until 2023, thanks to @abbodi1406's "Bypass Windows 7 ESU" hosted on MyDigitalLife forums, though I don't think anybody has tested the bypass on an actual Vista install.

Merry Christmas, happy New Year and here's to 3 more years of patching :hello:


  • Like 5
  • Upvote 2
Link to comment
Share on other sites

  • 1 month later...

Yes. I updated my WD definitions to 1.307.2582.0 yesterday 18/01/2020 using manual download/update. (Using WD 'check for updates' before the manual download/update told me that I was up to date with no new definition updates)

  • Like 1
Link to comment
Share on other sites

Hello again @Stevo, and thanks for answering my question. (I'm not running build 6003 and have no SHA-2 support with which to test.) Does this mean you're not using Avast anymore? I'm using Avast Free 18.8 on Vista these days, and I know it creates Group Policy keys that prevent users from turning Defender on in order to avoid conflicts.

Did you install the last-ever Server 2008 updates on Windows Vista last week? Any issues?

Link to comment
Share on other sites

Hello @Vistapocalypse, I am still running Avast Free 18.8 and also Defender. I edited registry as per Avast Forum (I know it was Avast 12.2.2276 & W7 but gave it a try) and runs OK.

Yes, I did also install the last-ever Server 2008 updates on Windows Vista and have not observed any issues.

Just for my curiosity, why have you chosen not to update to build 6003 + sha2 support ?


WSC Avast-Defender.JPG

Edited by Stevo
  • Like 2
Link to comment
Share on other sites

  • 4 weeks later...

@WinClient5270 How possible would it be to make something like the Simplix pack for Windows Vista, now that all Vista/2008 updates are done?

It would be nice to have that in an integrated ISO, as well as the Ultimate Extras, as Microsoft is already breaking download links for various updates, etc.

  • Like 1
Link to comment
Share on other sites

46 minutes ago, Vistapocalypse said:

@Dylan Cruz Welcome to the Windows Vista forum. The closest thing we have to that now is greenhillmaniac's repository at https://mega.nz/#F!txxRyLzC!1vBMGzMHiL864f3bl1Rj1w. Hopefully he will add the January 2020 updates to it and post here again before too long.


I have the SP2 ISO. So what I'm looking at is the stuff in the middle, basically:

  • All updates released after SP2 through EOL/EOS
  • Internet Explorer 9 (unless that's part of SP2...)
  • Ultimate Extras

The 2008 repository comes into play only after one already has that - so I'm not quite there, yet.

Simplix is a well known solution for Windows 7, right through EOMS in January 2020, but apparently there's nothing similar for Vista. It would be kind of nice to allow people to take their SP2 ISOs and then slipstream all the updates into them easily.

Link to comment
Share on other sites


KB4534303 Monthly Rollup https://www.catalog.update.microsoft.com/Search.aspx?q=4534303

KB4536953 Servicing stack update

KB4534312 Security-only

KB4534251 Internet Explorer


KB4537810 Monthly Rollup ESU https://www.catalog.update.microsoft.com/Search.aspx?q=4537810

KB4537830 Servicing Stack Update  ESU?  https://www.catalog.update.microsoft.com/Search.aspx?q=4537830

KB4537822 Security-only ESU




All I did is is:

set ForceHook=1

and change the build number to 6003




Edited by Tripredacus
Link to comment
Share on other sites

3 hours ago, Vistapocalypse said:

Windows updates were still available at last report, but four patches need to be manually installed to get Windows Update working. WinClient5270 made a video: https://www.youtube.com/watch?v=MtGYgxfpkeg

It seems most of them are available here: 

I guess it's possible those updates in question are contained here?

It'd be nice to have an offline pack so I don't need to fetch them online every time.

The link above says it doesn't include hotfixes, for whatever reason, so that could be concerning...


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...