SHA-2 Update for Windows Vista SP2

[Vistapocalypse]

I am not posting to ask a question: Only to repeat information that has been well known to some of us for years. There was recently much discussion (often bordering on hysteria) about Microsoft abandoning SHA-1 in favor of SHA-2, particularly in the Windows XP forum. There was also some discussion of old Windows updates related to SHA-2. I only want to clarify the situation with respect to Windows Vista here.

Microsoft released KB2763674 for Windows Vista SP2 in January 2013. For those who are curious, there is still a Microsoft article about the update at this time. Those running Vista SP2 may want to check Installed Updates to confirm that they have this update (before “upgrading” to Windows build 6.0.6003). If not, then you are in luck because the Download Center links in the above-mentioned article are still good! (Not even the service packs for Windows Vista have Download Center links anymore, although they can of course still be found in the Catalog.) To make it easy for you, here they are:

32-bit     64-bit

The continued existence of those Download Center links could be just an oversight that M$ might correct at any time, so here is a Catalog link for KB2763674. If all else fails, there are also x64 and x86 .cab files in greenhillmaniac’s repository (check the General folder).

I am sure that equivalent updates were released for other versions of Windows, but there would be no point in discussing those here.

Of course updates for Windows Server 2008 SP2 can generally be installed on Vista SP2. The main thread about that has long been Server 2008 Updates on Windows Vista. While the update mentioned above should be sufficient to run third-party applications with SHA-2 signatures, Server 2008 received updates to allow installation of Microsoft updates with SHA-2 signatures in 2019. I answered a question about which updates to install for that purpose in a July 2020 post. You would need to do that if you wish to install all possible security updates for Server 2008 SP2, since they have been signed with sha256 exclusively since the summer of 2019, or if you wish to install antispyware definitions for Windows Defender.

[jumper]

SHA-2 support includes sha256?

[Vistapocalypse]

2 hours ago, jumper said:

SHA-2 support includes sha256?

Yes. I posted a screenshot comparing the digital signatures of two servicing stack updates for Windows 6.0 in this September 2019 post. The April 2019 SSU was dual-signed, whereas the September 2019 SSU was signed with sha256 exclusively. SHA-2 support is required to install the second update. Here’s another Microsoft article for inquiring minds.

[jumper]

Thanks. Win9x doesn't have any of this, so I'm still catching up.

 

[erpdude8]

here are the direct download links to the KB2763674 update for Windows Vista from both MS Download Center and MS Catalog (why didn't the OP think of that?)
so let's cut to the chase!

MS download center msu links - (32bit)  (64bit)

MS catalog msu links for both Vista & Server 2008 - (32bit)  (64bit)

 

Edited May 18, 2021 by erpdude8

[Vistapocalypse]

On 5/17/2021 at 9:49 PM, erpdude8 said:

here are the direct download links to the KB2763674 update for Windows Vista from both MS Download Center and MS Catalog (why didn't the OP think of that?)
so let's cut to the chase!

The OP does not trust direct download links, and the Microsoft pages include relevant information. I doubt that very many are lacking this update anyway, which was really the point.

Thread ends here

___________________

 

 

Edited October 12, 2022 by Vistapocalypse

[luxxxoor]

hi guys, how do i know if i installed the sha-2 correctly ?

 

i ask that because the update KB4493730 said: "not applicable" for my windows vista ultimate x64 and the one that makes Build 6.0.6003 worked

[Vistapocalypse]

First of all, KB4493730 was a servicing stack update released in April 2019. “Microsoft strongly recommends you always install the latest servicing stack update (SSU) for your operating before installing” later updates. My guess is that you did not follow Microsoft’s recommendation and have already installed KB4474419 (SHA-2) and perhaps others. Have you installed KB4517134? That was another servicing stack update released in September 2019 that replaced KB4493730, however it was signed with SHA-2 exclusively. If you have it, or are able to install it, then you are probably OK (I’m not really sure).

[winvispixp]

42 minutes ago, Vistapocalypse said:

have already installed KB4474419

I always install kb4474419 first just because it's the one above in the folder so that's not the problem

[Vistapocalypse]

13 minutes ago, winvispixp said:

I always install kb4474419 first just because it's the one above in the folder so that's not the problem

And that does not prevent you from installing KB4493730, or do you not bother with the SSU at all? Assuming he downloaded the x64 version, I think he has already installed a subsequent SSU.

[winvispixp]

9 hours ago, Vistapocalypse said:

And that does not prevent you from installing KB4493730, or do you not bother with the SSU at all?

no, i install kb4493730 right after, not even after a restart and it works every time 

[ItCoder]

Hi, although it could be a little too late, I have discovered you can add SHA-2 kernel-level support in Windows Vista SP2 installing KB4039648. This won't change the build number to 6003 and works fine (for example to update MSE and Defender).

[Vistapocalypse]

1 hour ago, ItCoder said:

Hi, although it could be a little too late, I have discovered you can add SHA-2 kernel-level support in Windows Vista SP2 installing KB4039648. This won't change the build number to 6003 and works fine (for example to update MSE and Defender).

Welcome to MSFN ItCoder!  That possibility was mentioned in a very lengthy AskWoody thread about Defender updates that @Volume Z contributed to, so I do not doubt what you say. Have you actually tried that for MSE updates? (It is astonishing to me that Microsoft hasn’t ended those definition updates yet.) Is there any particular reason why you wish to avoid build 6003?

However, any readers who wish to install the extended kernel and/or install Windows updates up to the end of support for Server 2008 (by which time updates were signed with SHA-2) are still going to need KB4474419, which entails “upgrading “ to build 6003.

[ItCoder]

I've tested it two months ago. MSE 4.4 works even with autoupdate (there's no need to run mpam-fe)! I want to avoid 6003 because it isn't "Vista" and if you want to install some updates (such as Ultimate Extras) you must have Windows Update working (with a proxy)

[winvispixp]

12 hours ago, ItCoder said:

such as Ultimate Extras

or you can get them from GHM's repository as .cab updates which can be installed with dism++ https://msfn.org/board/topic/181756-windows-vista-update-repository-until-april-2017/

 

Edited February 17, 2023 by winvispixp