On decommissioning of update servers for 2000, XP, (and Vista?) as of July 2019

[Dave-H]

I can confirm that version 2.30 does work in XP!

Here's its output after scanning the July 2020 wsusscn2.cab file I scanned before on Windows 10 with version 2.80.
As you can see, it's quite different.
Whether this is SHA-2 problems I don't know, but it doesn't mention it, which 2.80 did.

 

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

D:\Users\Dave>e:

E:\>cd dump folder

E:\Dump Folder>sigcheck -i wsusscn2.cab

Sigcheck v2.30 - File version and signature viewer
Copyright (C) 2004-2015 Mark Russinovich
Sysinternals - www.sysinternals.com

E:\Dump Folder\wsusscn2.cab:
        Verified:       Signed
        Catalog:        E:\Dump Folder\wsusscn2.cab
        Signers:
           Microsoft Corporation
                Status:         A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
                Valid Usage:    Code Signing
                Serial Number:  33 00 00 01 F3 07 55 2B 7B A6
                                03 AD 7C 00 02 00 00 01 F3
                Thumbprint:     8C0FB087D6EB137F3FEE3AFA56F168FCA5224830
                Algorithm:      SHA1
                Valid from:     21:18 20/03/20
                Valid to:       21:18 30/09/20
           Microsoft Code Signing PCA
                Status:         Valid
                Valid Usage:    All
                Serial Number:  61 04 35 45 00 00 00 00 00 3F
                Thumbprint:     4BAEA1454B8D5DC845BDE7A2D9754FABC221267C
                Algorithm:      SHA1
                Valid from:     18:42 20/09/18
                Valid to:       00:28 10/05/21
           Microsoft Root Certificate Authority
                Status:         Valid
                Valid Usage:    All
                Serial Number:  79 AD 16 A1 4A A0 A5 AD 4C 73
                                58 F4 07 13 2E 65
                Thumbprint:     CDD4EEAE6000AC7F40C3802C171E30148030C072
                Algorithm:      SHA1
                Valid from:     00:19 10/05/01
                Valid to:       00:28 10/05/21
        Signing date:   02:41 14/07/20
        Counter Signers:
           Microsoft Time-Stamp Service
                Status:         A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
                Valid Usage:    Timestamp Signing
                Serial Number:  33 00 00 01 54 B0 93 6E 7C 4C
                                1C 1A 58 00 00 00 00 01 54
                Thumbprint:     7E3F6224A15080E0D17B3B3ED7505E1CD704076D
                Algorithm:      SHA1
                Valid from:     02:13 19/12/19
                Valid to:       02:13 17/03/21
           Microsoft Time-Stamp PCA
                Status:         A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
                Valid Usage:    Timestamp Signing
                Serial Number:  61 16 68 34 00 00 00 00 00 1C
                Thumbprint:     375FCB825C3DC3752A02E34EB70993B4997191EF
                Algorithm:      SHA1
                Valid from:     13:53 03/04/07
                Valid to:       14:03 03/04/21
           Microsoft Root Certificate Authority
                Status:         Valid
                Valid Usage:    All
                Serial Number:  79 AD 16 A1 4A A0 A5 AD 4C 73
                                58 F4 07 13 2E 65
                Thumbprint:     CDD4EEAE6000AC7F40C3802C171E30148030C072
                Algorithm:      SHA1
                Valid from:     00:19 10/05/01
                Valid to:       00:28 10/05/21
        Publisher:      Microsoft Corporation
        Company:        n/a
        Description:    n/a
        Product:        n/a
        Prod version:   n/a
        File version:   n/a
        MachineType:    n/a

E:\Dump Folder>

 

[VistaLover]

7 minutes ago, Dave-H said:

I can confirm that version 2.30 does work in XP!

Many thanks, Dave, for your swift reply...

31 minutes ago, VistaLover said:

And, perhaps more importantly, does it support SHA-2 signatures?

10 minutes ago, Dave-H said:

Whether this is SHA-2 problems I don't know, but it doesn't mention it, which 2.80 did.

As I feared, it doesn't see at all the SHA-2 file signature... I don't exactly know how the tool works, but if it's reliant on OS libs, this is no surprise at all, since XP itself doesn't have support for SHA-2 (You could also test sigcheck-v2.30 on your Win10 partition, if SHA-2 data are printed there, we'll be sure sigcheck uses OS level libs/functions...  ) ...

However, we are back at square one ; both sigcheck-v2.80/Win10 and sigcheck-v2.30/WinXP do see the SHA-1 file sig (which is the one validated under XP), so the mystery about the July 2020 wsusscn2.cab file doesn't seem related to file signatures... If only a "digital" Miss Marple could help on this...

[luweitest]

1 hour ago, VistaLover said:

this post from 2015 suggests XP support was dropped starting with v2.30,

The poster corrected it in the later post of the thread. I can confirm the last sigcheck version supporting XP is 2.30, and it does *not* support SHA-2 signatures (I think it just calls system functions), which is displayed as ????????.

[luweitest]

1 hour ago, VistaLover said:

so the mystery about the July 2020 wsusscn2.cab file doesn't seem related to file signatures

I observed that in the process of offline scanning, the cab file is first copied to %windir%\SoftwareDistribution\ScanFile, then the package*.cab files in it is extracted. That once leads to insufficient disk space so I add a deleting operation in the script. The verification of signature seems happen before extraction (confirmation request). If the verification fails (the error encountered by Dave-H), the cab file is deleted.  I suggest Dave-H to check whether the package*.cab files did got extracted; yet whether it is extracted or not, I don't know what to check next; I think the mystery hides in the process of WUA API functions, so I pointed to the MS doc site.

[Dave-H]

I ran "sigcheck -i wsusscn2.cab" on the November 2019 version of wsusscn2.cab, using sigcheck 2.30 on Windows 10, and got exactly the same result as I did when I ran the same command with the same files on XP, still no SHA-2 information, so it looks as if it isn't OS dependant.

Comparing the results from the November 2019 cab and the July 2020 cab, there seems to be very little difference, apart from the serial number and thumbprint, as you would expect, and the dates on the first certificate displayed, which are later of course on the latter file. Both have certificates apparently past their expiry dates.
Everything else seems to be identical, which raises more questions as to why one of them works for me and the other doesn't!

[XPerceniol]

16 hours ago, xpandvistafan said:

The Windows Update website is now stuck in a infinite redirect loop.

Same!

~~~EDITED~~~

Oooops ... I accidentally displayed my product id on those pics - I will upload them again with that personal info blanked out. <--- Corrected now.

The catalogue is empty with updated sp3 and I've tried every setting under the sun in IE8 and "Internet Option" in the control pannel; as well as enabled (...ugh...) services that I usually have disabled to see and just no luck at all.

So, I've been working on this for 5 hours today already and its too nice to stay stuck inside, henceforth I'll try again another time.

And I'm NOT one to 'throw in the towel' (I won't), but I've been racking (what's left of) my brain and am at a loss with this.

Sorry guys.

Edited April 28, 2021 by XPerceniol

[Dave-H]

I suspect it's time to read the last rites over the Microsoft Update and Windows Update web sites.
As I said earlier, I'm surprised that they haven't been completely taken offline by now!
AFAIK there's nothing left now served by them which is still in support.

What do you mean by "the catalogue is empty"?
Do you mean that if you put a known existing KB number in the search field and search for it, you get no results?
The screen grab you posted is quite normal until you do a search for something.

[XPerceniol]

I'll check that out, Dave, I had to remove the screen grabs (for now) as they displayed my product ID.

EDIT: Ok, I've removed the personal info I accidentally displayed.

Edited April 28, 2021 by XPerceniol

[xpandvistafan]

Update:

The www.update.microsoft.com site has now been resigned with a SHA384 certificate signed on April 27. Microsoft has now also deployed HSTS on the site. The site supports TLS 1.2 and higher, with the weakest cipher being TLS_RSA_WITH_3DES_EDE_CBC_SHA. https://www.ssllabs.com/ssltest/analyze.html?d=www.update.microsoft.com

 

[Dave-H]

@XPerceniol
Is the Microsoft Catalogue actually working for you?

Just as an aside, you don't have to use Internet Explorer for the catalogue, just in case you weren't aware, it should work in any browser.
Windows/Microsoft Update needs IE as it uses ActiveX controls, which don't work anywhere else, but the catalogue is a standard site.

[Dave-H]

Just for interest, I thought I would try out the "Portable Update" tool referenced in this post.
It does seem to work fine still, and downloaded a new wsusscn2.cab file, containing updates from this month.
The tool lists all my installed updates, and says I don't need any, which is almost certainly correct, but surely if it did decide I needed any, it wouldn't work anyway as that cab isn't SHA-1 signed?
I would be interested to see what it would do if I tried to use it!

[Vistapocalypse]

1 hour ago, Dave-H said:

...but surely if it did decide I needed any, it wouldn't work anyway as that cab isn't SHA-2 signed?
I would be interested to see what it would do if I tried to use it!

Well you could uninstall an update, but first better make sure a standalone installer is available.

[Dave-H]

Yes I could, but I'm not sure which one I would try!
My instinct is to just let well alone!

[XPerceniol]

Yes, Dave, I was expecting a page to come up with all the updates available as it used to be in IE (I realized this morning I have activeX disabled anyway lol). I'm able to search and download updates with no issues.

However, as I share your instinct(s) - I'll leave well enough alone so long as this old Ford Pinto starts up and still shifts into "drive".

That being said.. I bookmarked the "Portable Update" tool in case the need be to give life support to this beast

Cheers

EDIT:

Ok I found it - sorry for my ignorance I downloaded the tool and enabled the services (I thought) were/are required and the log is as shows after running it 5 times.

30/04/2021 11:51:29 AM    1272    Main error: The remote server machine does not exist or is unavailable - PortUp
30/04/2021 11:51:38 AM    532    Main error: The remote server machine does not exist or is unavailable - PortUp
30/04/2021 11:51:49 AM    380    Main error: The remote server machine does not exist or is unavailable - PortUp
30/04/2021 11:52:17 AM    1620    Main error: The remote server machine does not exist or is unavailable - PortUp
30/04/2021 11:53:17 AM    912    Main error: The remote server machine does not exist or is unavailable - PortUp

Below was from the first link on that page on our forum. I'll have to put on my 'thinking cap' for this one I seems. I found a good deal online for a 'thinking cap' as I have a coupon somewhere in my dresser drawer still ... hopefully anyway 

FINAL EDIT: (I promise - I guess I'm not as dumb as I look)

Turns out: I had to (also) enable (as I usually have it disabled) DCOM Server Process Launcher - and boomshakalaa - 6 updates available.

Edited April 30, 2021 by XPerceniol

[XPerceniol]

Okaaay...

So, I updated the 6 updates and everything went well (keeping my fingers crossed) and I'm told to restart my computer.

Here I go - wish me luck :)