Jump to content

Update Win 7, or Not ?


taos

Recommended Posts

Well, I'm going to, not so much "eat my hat" but at least have a little nibble at its edges. I just came across a situation in which in the space of a few days I tried installing and using two new programs and Win7 SP1 told me that the drivers the programs were trying to install weren't digitally signed -- so Win7 wasn't going to let the programs install them. I went off and did some research and found out that the drivers the programs were trying to install were signed but using SHA-256 signatures. And, it seems, Win7 x86/x64 at SP1 level, and with no other updates installed, can't read the signatures.

Cutting a long story short the solution was install the following updates (and in the following order):

KB3035131 (download can be accessed via here) https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-025
KB3033929 (download can be accessed via here): https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929

So, Taos, or anyone else that is reading/following this thread and trying not to update their Win7 SP1 system unless really necessary, it would seem that these two updates are moving into the necessary stage as more and more software developers will move towards digital signing using SHA-256. So, going by my experience, I'd recommend installing those two.

Now I'm thinking that it would be a useful addition to this "Windows 7" section of the forum if there was a kind of 'sticky' thread where people using Win7 SP1 that are trying to avoid updating it, if possible, could post information on updates that, over time, they've found are necessary but that avoid Microsoft spyware and other suspect stuff. Of course, don't just say, "Install KBxxxxxxx," say why it's pretty well essential to do so too.

Hope this helps.

Important Edit: erpdude8 has posted a correction to this post (see erpdude8's post below). Do not install KB3035131 -- it is obsolete. Instead install KB3071756 -- again see erpdude8's comments below with a link to the update.

Edited by Radish
Link to comment
Share on other sites


On 9/7/2018 at 2:42 PM, Radish said:

Well, I'm going to, not so much "eat my hat" but at least have a little nibble at its edges. I just came across a situation in which in the space of a few days I tried installing and using two new programs and Win7 SP1 told me that the drivers the programs were trying to install weren't digitally signed -- so Win7 wasn't going to let the programs install them. I went off and did some research and found out that the drivers the programs were trying to install were signed but using SHA-256 signatures. And, it seems, Win7 x86/x64 at SP1 level, and with no other updates installed, can't read the signatures.

Cutting a long story short the solution was install the following updates (and in the following order):

KB3035131 (download can be accessed via here) https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-025
KB3033929 (download can be accessed via here): https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2015/3033929

So, Taos, or anyone else that is reading/following this thread and trying not to update their Win7 SP1 system unless really necessary, it would seem that these two updates are moving into the necessary stage as more and more software developers will move towards digital signing using SHA-256. So, going by my experience, I'd recommend installing those two.

Now I'm thinking that it would be a useful addition to this "Windows 7" section of the forum if there was a kind of 'sticky' thread where people using Win7 SP1 that are trying to avoid updating it, if possible, could post information on updates that, over time, they've found are necessary but that avoid Microsoft spyware and other suspect stuff. Of course, don't just say, "Install KBxxxxxxx," say why it's pretty well essential to do so too.

Hope this helps.

 

you will need either KB3020369 or KB3177467 servicing stack update installed first before installing newer updates beyond the KB3035131 and KB3033929 updates.  go with KB3177467 as that one supersedes / replaces KB3020369.

KB3035131 is an obsolete update as it is superseded / replaced by the KB3071756 update (MS15-085) for Win7

KB3071756 replaces KB3067505, KB3063858, KB3046049, KB3045999, KB3035131 updates

Edited by erpdude8
Link to comment
Share on other sites

Big thank you from me too, erpdude8. Will follow your advice. (Have now put a correction in my original post on this matter.) Thanks again.

(Now I have to try work out why I don't receive email updates to new posts in this thread. Argh!!!!!!)

Link to comment
Share on other sites

Have another piece of interesting information on installing KB3033929 as follows:

Cutting a long story short I had occasion to go into Windows Event Viewer (never really go there) and look at some of the Windows logs in there. In the Application section I discovered masses of errors labelled CAP12, Event ID 4107. There were lots. The General (description) information for these events was:

Quote

Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Unbeknowns to me, these errors were occurring from the time I had fresh installed Win7 Pro. SP1 up to early this month (September), then they just stopped happening. Kind of scratching my head over that so looking for a solution to the puzzle had a look at the Setup log and lo and behold the 4107 errors stopped after I had installed KB3033929. So it would seem that (again) the 4107 errors were being generated because Win7 Pro. SP1, with no other updates installed, couldn't read the certificate properly, because it lacked the capacity to manage SHA-256 hashes, and then misreported what the error was via the 4107 error description. I'm kind of guessing this but it seems to me it very much looks that way.

Different subject, but for what it's worth for folks trying to run Win 7 SP1 without updating it unless essential. In the Application logs I also found lots of errors labelled WMI, Event ID 10. They had the General description:

Quote

Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.

After a bit of research found this webpage: Event ID 10 is logged in the Application log after you install Service Pack 1 for Windows 7

Seems this is common problem for some installs of Win 7 SP1. I created and ran the script mentioned on that webpage and the errors were no longer generated on every boot into Windows. So I thought this might be useful information to post into this thread.

As a result of finding all this out I've now become converted to at least viewing what is going on in Event Viewer logs and have even setup, via Event Viewer, Scheduled Tasks to automatically inform if any of these errors recur (not that I'm expecting them to, they pretty well seem fixed).

Hope this helps.

Link to comment
Share on other sites

9 hours ago, Radish said:

Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected. 

There was a fix from MS for this: MicrosoftFixit50688.msi not easily available anymore, But I found it here.

Edited by alacran
Link to comment
Share on other sites

  • 4 weeks later...

I stopped updating at the end of the last year, despite all the Spectre & Meltdown issues. ¯\_(O_o)_/¯
I've read too many problems about the new Microsoft patches (various still not fixed).

At this point I don't trust very much both MS's honesty (=not sabotaging Win7) and competence (they're constantly breaking Win10 too).

Edited by phaolo
Link to comment
Share on other sites

I'm on Windows 8 (which allows me to use patches from Server 2012)

I've fresh installed on to a "new to me" PC workstation.  I've only updated to November 2017, except for IE 10 - I've installed the latest browser and Flash updates for it (Flash is built in to Windows 8).  I've gone no further.  Now my performance seems top-notch, but I worry that not updating in the long run will cause security holes in the OS.  Soon, I'll be a year out of date.  It seems "irresponsible" almost.

But @NoelChas gone through exhaustive testing and it shows installing the updates up until current (and disabling Spectre/Meltdown mitigations) still results in an 8% decrease in certain performance parameters.  Now was that because those mitigations were still installed (although disabled?)  Who's to say.

So what I hope to find is ABSOLUTE VALIDATION that installing all security updates to current but skipping March 2018's update is a worthwhile idea. @NoelC's theory is that not installing consecutive updates all the way through might destabilize the OS in some way, because newer updates require dependencies or prerequisites from older updates.  Somehow I need to get proof that's NOT the case.

 

Edited by Jody Thornton
Link to comment
Share on other sites

All my 5 PCs at home are running Win7x64 SP-1 updated up to December 2017, Browser is Firefox on all, but two of them also have Google Chrome, AV is Avast Free, and also have Malwarebytes Antimaware Free only to run on demand (just in case), not a single problem so far. 

Also all of them can dual boot Win10x64 Pro from another partition since I got and ID for them during free update, but nobody here use Win10, all they have an old 10 version.

Only one PC has Win10 with a more recent version 1709 updated to December 2017, but updates dissabled, used mainly for running PEBakery to make some new WinPEs.

I installed on this PC on a VHD (just to test) the 10x64 Pro 1809 (downlodaded last week with MCT) and I was able to see during second reboot a message saying something like Deleting or maybe Cleaning all old files on user profile, but since it was on a VHD I assume only files on that VHD were affected by this, I didn't loose any file on the HD Documents partition.

So since thread title is UpdateWin 7 or Not? = I may say yes but only upto December 2017.

Update to 10 = Better don't, it do not have any advantage over 7 and on the contrary it has all disandantages, it is Malware by definition, and ALL updates have a problem, especially the last one that can make you lose all your documents, you can never trust on MS anymore.

Best Regards

alacran

Link to comment
Share on other sites

On 10/10/2018 at 8:59 AM, alacran said:

... Malware by definition, and ALL updates have a problem, especially the last one that can make you lose all your documents, you can never trust on MS anymore.

Yup !

This corporate modus operandi is terrible.  And we must guard against updates from other corporations, too.

Such as...   here

'Back in 2016, printing giant HP sent a deceitful, malicious update to millions of OfficeJet and OfficeJet Pro printers that disguised itself as a "security update." Users who trusted HP and applied the update discovered to their chagrin that the update didn't improve their printers' security: rather, the updated printers had acquired the ability to reject cheaper ink, forcing the printer owners to throw away their third-party and refilled ink cartridges and buy new ones.

Now, Epson has followed suit: in late 2016 or early 2017, Epson started sending deceptive updates to many of its printers. Just like HP, Epson disguised these updates as routine software improvements, when really they were poison pills, designed to downgrade printers so they could only work with Epson's expensive ink systems.'

 

 

Link to comment
Share on other sites

It's not just computers and printers either. About a year ago someone reported on AVSForum that a working Amazon Prime app got pulled off his Vizio TVs! I posted this on that forum in response:

I could understand it if Amazon changed something that broke the Vizio streaming app - his Vizios are five years old, after all. I've heard of built-in YouTube apps being rendered useless the same way: Google changes something, and old apps stop working. If you can't get an update, you're SOL.

But as I understand it, it's not just that technology advanced and rendered the streaming app in his Vizio TVs useless. Read Don's quote:

Quote

Amazon pulled their app off of my 5-year-old Vizio TVs.

(Emphasis added.) IOW, someone (it was probably Vizio, not Amazon, but it doesn't really matter) went in to his older TVs over the Internet and deliberately removed a working app from them! That's not just the inevitable march of technology, or even planned obsolescence - it borders on hacking....

We're living in a brave new world where corporations feel free to meddle with the products we thought we owned, possibly even to just make them less useful so we'll have to upgrade. I've had Micro$oft do this with WMC more than once (not to mention their yearlong push to "upgrade" me to Windows 10, which would have removed WMC entirely), and I've had Facebook do it with their app for older BlackBerrys.

Of course, you can take that too far. I know folks who now refuse even security updates from Micro$oft because of the distrust generated by M$'s "free" Windows 10 upgrade campaign, the telemetry (read: spyware) that M$ has built into some updates, etc. Of course that leaves them vulnerable to viruses, ransomware, etc., so I think they're going too far; nevertheless I understand their decision even if I don't take the same chances with my own PC.

Link to comment
Share on other sites

1 hour ago, Mathwiz said:

Emphasis added.) IOW, someone (it was probably Vizio, not Amazon, but it doesn't really matter) went in to his older TVs over the Internet and deliberately removed a working app from them! That's not just the inevitable march of technology, or even planned obsolescence - it borders on hacking....

It's not the 1st time involving amazon, though, maybe it's already becoming a habit. That's why I abhor autoupdate, remote support (by corporations, at least, not from friends one trusts) and the cloud in general... remember the matter quoted below?

On 9/10/2013 at 3:34 AM, dencorso said:

Remember when amazon.com sent Animal Farm and 1984 kindle editions down the memory hole? And remember that all involved fully failed to see what was being done in Orwellian terms, at least until customers began to point it out while complaining?

Link to comment
Share on other sites

I thought Kindle was a great idea; yet I never trusted it for that very reason: from the get-go it was designed so Amazon could pull back anything you thought you owned.

BTW you need to update the link above to https://en.wikipedia.org/wiki/Amazon_Kindle#Criticism. Wikipedia's editors didn't send the criticism of Kindle down the memory hole, but they did relabel it a bit ;)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...