On decommissioning of update servers for 2000, XP, (and Vista?) as of July 2019

[max-h]

56 minutes ago, digbick said:

I have the 0x800b0003 error with online and offline update in wumt. I'm using the latest wsusscn2.cab with sha-1 signature from july 13th, but I don't think this has something with the error since the only vector that causes the error is the presence of IE8.

I need IE8 just to read some html reports generated from a legacy software that runs only in windows xp due to the hardlock.

It's normal (See here). Use an old wsusscn2.cab and it will work  : https://web.archive.org/web/20191209214827/http://download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab

Edited October 25, 2020 by max-h

[windows95__]

Just tried the patch on windows 2000 and it doesnt seem to work. Just hangs on making sure your computer has the up to date activex control.

[Dave-H]

It should certainly get beyond that stage, it's when you actually scan that it will fail if the patch hasn't worked.
Have you tried repeatedly reloading it? On my system it can take many attempts before the page will even load at all, and it sometimes even then hangs on the "checking" page, as you're seeing.
Eventually though, it has always loaded for me, at least recently.

[windows95__]

It decided to load the page this morning, but checking for updates results in the cannot find the windows update server error. Weird. Perhaps my version of the kernel extension is out of date?

[digbick]

The patch is working in FLP with POSReady reg too.

[max-h]

I see no one mentioned it, but WU is down again (since friday november 30) and for good this time.

MS restricted to TLS 1.2 and cipher TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 which is not supported by XP SP3.

Abbodi on MDL finded an ultime solution with a proxy to upgrade TLS connection (the proxy connect to WU with TLS 1.2 and responding to XP with TLS1) but for me (and other members), it's not working... I get error 0x80072EFE like a direct connection.

Edited November 5, 2020 by max-h

[cc333]

38 minutes ago, max-h said:

I see no one mentioned it, but WU is down again (since friday november 30) and for good this time.

That's too bad!

38 minutes ago, max-h said:

MS restricted to TLS 1.2 and cipher TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 which is not supported by XP SP3.

My understanding is that as long as it isn't ECC-based, there exists the possibility of somehow implementing it.  Right?

40 minutes ago, max-h said:

Abbodi on MDL finded an ultime solution with a proxy to upgrade TLS connection (the proxy connect to WU with TLS 1.2 and responding to XP with TLS1) but for me (and other members), it's not working... I get error 0x80072EFE like a direct connection.

This will ultimately have to be the proper solution, I suspect, because it doesn't involve (I assume) direct hacking of system files.

c

[Vistapocalypse]

28 minutes ago, max-h said:

WU is down again (since friday november 30)

I guess you meant to write “Friday October 30,” since September 30 was a Wednesday. I didn’t realize that WU was up in October.

37 minutes ago, max-h said:

MS restricted to TLS 1.2 and cipher TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 which is not supported by XP SP3.

It sounds like M$ detected suspicious activity and took preventative action. Wonder how long it will be before M$ takes down all updates for XP?

[Dave-H]

Some people, including me, had it apparently working again using the hack from MDL.
Unfortunately it looks as if that workaround has now been blocked.

[max-h]

 

2 hours ago, cc333 said:

My understanding is that as long as it isn't ECC-based, there exists the possibility of somehow implementing it.  Right?

I don't know.

2 hours ago, cc333 said:

This will ultimately have to be the proper solution, I suspect, because it doesn't involve (I assume) direct hacking of system files.

Yep, no need to hack something.

2 hours ago, Vistapocalypse said:

I guess you meant to write “Friday October 30,” since September 30 was a Wednesday. I didn’t realize that WU was up in October.

Oops... october, yes.

2 hours ago, Vistapocalypse said:

It sounds like M$ detected suspicious activity and took preventative action. Wonder how long it will be before M$ takes down all updates for XP?

Probably. For the deletion of updates, impossible to say. But download them quickly as possible, or use WSUS Server like me.

Tutorial for windows server 2019 : https://www.prajwaldesai.com/install-configure-wsus-on-windows-server-2019/

But it works also on 2008R2 2012 and 2016 of course.

Edited November 5, 2020 by max-h

[Usher]

Just checked WU and it worked again with no problem - with patched dll mentioned earlier:

 

[Dave-H]

Not working now here I'm afraid, on Windows Update or Microsoft Update, on the IE8 website, or on WUMT.
Error 0x80072EFD.

[max-h]

New method found ! Thanks to abbodi1406 https://forums.mydigitallife.net/threads/restore-windows-update-for-windows-xp-server-2003.82538/page-3#post-1628508

Quote

# Requirements

-Windows update agent : http://download.windowsupdate.com/windowsupdate/redist/standalone/7.4.7600.226/windowsupdateagent30-x86.exe

- VC++ 11 (2012)
https://www.microsoft.com/en-us/download/details.aspx?id=30679
for XP/2003 x64, you need both vcredist_x64.exe/vcredist_x86.exe

- Internet Explorer 8
or the lost Microsoft Internationalized Domain Names (IDN) Mitigation APIs
idndl.x86.exe

- Patched PHP 5.6 for Windows XP/2003
http://www.lindasc.com/php/

(non thread safe, for IIS)
php-5.6.24-nts-WinXP32-VC11-x86.7z

needed files: 
ext\php_curl.dll 
libeay32.dll 
libssh2.dll 
nonxp.dll 
php.exe 
php5.dll 
ssleay32.dll

- Optional, latest OpenSSL 1.0.2u (libeay32.dll and ssleay32.dll)
https://www.totalcommander.ch/win/openssl/
https://github.com/IndySockets/OpenSSL-Binaries

- Windows Update MiniTool to scan against WSUS
WU/MU via IE scan against windowsupdate servers directly and fail

- WSUS Proxy mod by @mspaintmsi (AFAIK, not published before)
https://download.ru/files/vMYWEl7O

 

# How To

- Install WUA agent
- Extract WSUS_Proxy_XP.7z to proper simple path
- Execute Add_wsus.cmd
- Execute run_wsus.cmd and approve Firewall Unblock for PHP
- Run wumt_x86.exe (it should point to Windows Server Update Service) and scan
- PHP cmd window should log the requests (to client.asmx)
- When finished, close PHP cmd window

# Caveats

- Slow (specially for first scan)
and PHP will consume some RAM/CPU
- Might fail with 0x8024400A, due race condition in http.sys
just rescan again and it will work
 

 

/!\ Restricted to french IPs

Or if your're lazy, you can use my proxy that I have made available to everyone : http://wsus.update-old-wins.fr.nf

It should be specified in gpedit.msc  :

Computer configuration > Administrative templates > Windows components > Windows update > Specify intranet Microsoft update service location, and enter in the two fields : http://wsus.update-old-wins.fr.nf/?

In this case a simple update of WUA to 7.4.7600.226 or 7.6.7600.256 is required.

 

This proxy also restore the updates for Windows 2000! It just need two requirements :

-double update of WUA :

http://download.windowsupdate.com/v7/windowsupdate/redist/standalone/WindowsUpdateAgent30-x86.exe

http://download.windowsupdate.com/windowsupdate/redist/standalone/7.4.7600.226/windowsupdateagent30-x86.exe

-Root certificates : http://download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/rootsupd_a153023b66d29034420aa227ccc2164cff75229e.exe

You should also add the Specify intranet Microsoft update service location GPO in gpedit, for this : right click on Adminisitrative template : Add/remove template > add wuau.adm The Windows update section should be appear in the list.

Finally, scan with WUMT.

Edited February 13, 2021 by max-h

[Dave-H]

Thanks!
I tried with your proxy, and WUMT is just failing with error 0x8024400A all the time.

[max-h]

It's normal. Just retry again and again, after a while it works.

Edited November 10, 2020 by max-h