Does this make old versions of Windows secure enough for daily use?
No. Legacy Update is intended to help you install security patches Microsoft previously released for your operating system, in addition to enabling access to functionality that has become inaccessible thanks modern internet security requirements. It’s not a replacement for a modern operating system, which includes fixes for recently discovered flaws that are currently of concern.
Current operating systems you should consider switching to for daily use would include Windows 11, Windows 10, or a current Linux distribution. If you’re using Windows 7, Windows 8, or Windows 8.1, you can still upgrade to Windows 10 for free. If you’re using Windows 10 on compatible hardware, you can upgrade to Windows 11 for free. Upgrading from Windows XP to Windows 7, or from Windows 7, 8, or 8.1 to Windows 10, brings you a decade of system-level security improvements, which would not be possible to apply on top of a legacy version of Windows.
Does this let me activate Windows XP with a non-genuine product key?
No, a product key you legitimately own is still required. Legacy Update doesn’t modify the Windows Product Activation or Windows Genuine Advantage features in any way. Rather, it updates Windows’s SSL security settings to enable connections to modern web servers to succeed. This corrects a connection issue with the Windows XP activation server, so you can activate Windows exactly as you would have done in 2014 or prior.
My antivirus tells me LegacyUpdate.exe is infected! What are you trying to do to my PC?
Legacy Update is in an awkward position because it’s not a very commonly downloaded file. That causes AVs to be more vigilant, and use more generic detections. The idea is to err on the side of caution, because the AV vendor doesn’t have enough information crowdsourced from its users to decide whether it’s safe or not.
Some reasons Legacy Update might wrongly flag as malware could be:
- Legacy Update installs an ActiveX control, which is a bit weird to do on modern Windows versions (AVs are, of course, designed for current Windows versions, not old versions like XP),
- Legacy Update changes registry keys relating to Windows Update and the Internet Explorer trusted sites list,
- The Legacy Update installer downloads and executes some programs, which can feel a lot like malware without further information to go by. They don’t exactly realise that these are Microsoft-signed programs being downloaded from microsoft.com,
- Legacy Update currently isn’t signed, so there’s no cryptographic proof of who LegacyUpdate.exe and LegacyUpdate.dll came from (I’m working on getting an Authenticode certificate to solve this).
If your antivirus reports malware, please consider finding and filling out their false-positive report form. For instance, do a Google search for “Microsoft Defender false positive report”. Their engineers will investigate, and should be able to confirm that Legacy Update is safe to use.
You can refer to VirusTotal results for more detailed info on how AVs detect Legacy Update. If you have the time to set up a build environment, you can always build from source.
Can I deploy Legacy Update to the network of PCs I manage?
While Legacy Update will likely do what you want, I’d rather you make use of Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) for this task. These are tools built for the job of update deployment to domain PCs; Legacy Update is really intended for single-user, home, or hobbyist PCs not in use on a domain. At any rate, I’d rather not encourage widespread use of legacy Windows in a corporate environment.
Can I bundle Legacy Update with my custom Windows iso, program pack, etc?
Are there any command line switches I can use when installing Legacy Update?
Here are the switches supported by Legacy Update setup:
|/S||Silent installation. Displays no UI and proceeds with default configuration. If a restart is required, Legacy Update setup will exit with error level 3010. The Legacy Update website will not be opened after installation completes. (Case sensitive - the flag is a capital S, not lowercase.)|
|/norestart||Don’t restart automatically. Instead, a dialog will prompt you to restart (unless /S has also been passed). This will also prevent Legacy Update setup from creating a temporary administrator user account on your PC so it can resume unattended after restart. However, it will still register itself to continue the setup the next time an administrator logs on.|
Can I install Legacy Update offline?
There currently isn’t a straightforward way to install Legacy Update offline, as it assumes you have an internet connection to download additional components from Microsoft as needed for the Windows configuration you’re running it on. In future, I’d like to add a feature that allows you to pre-download these components for fully offline installation.
Am I using up all your bandwidth when I use this?
Not at all, please feel free to install as many updates as you like. The updates themselves come directly from Microsoft servers. The website of course is hosted on my server, but employs Cloudflare edge caching, so you’re in fact rarely sending traffic to my actual server.
When you check for updates, the Windows Update protocol traffic is proxied through my server, so that it can be downgraded from modern encryption to something old Windows can understand. All the server currently does is pass through exactly what your machine, or the Microsoft server, sends, with no processing beyond that. This traffic isn’t small, but it’s also not really big enough for me to be concerned about either. It’s well below the monthly bandwidth limit I’m allocated by my host.
You can, of course, still send a tip my way via GitHub Sponsors or Patreon to support the server fees - I won’t say no to some extra support and motivation!
Why is it slow?
Windows Update is a complex protocol, and applying updates is an elaborate juggling act to ensure only the correct updates are applied, and in the right order.
When you check for updates, Windows and the Windows Update server compare notes on what’s installed on your system, and therefore which updates are applicable to you. Because there are thousands upon thousands of updates, this is a very long, slow process, heavily tied to your CPU’s single-core performance, and hard drive/SSD read performance. If you watch Task Manager while you check for updates, you might see svchost.exe, wmiprvse.exe, and TrustedInstaller.exe (on Vista and later) using up an entire CPU core. This is the Windows Update Agent evaluating the configuration of your computer so it can let the Windows Update server know which updates it needs to see. Old PCs can take minutes to complete this stage, while a VM running on your modern laptop should fly through this in a few seconds.
While installing updates, you may feel a slowdown on lower-end PCs due to the volume of hard drive write activity. If you have a small amount of RAM in such a system, and a fairly slow hard drive, this can really hurt the system’s ability to use the hard drive as swap/pagefile space. This will clear up once the updates finish installing.
I installed a bunch of updates and now my PC doesn’t boot (e.g. I get “NTLDR is missing”). What now?
It seems that the latest version of the Windows Update Agent installer, when run on Windows XP Home Edition, triggers a limitation of the Windows 2000/XP bootloader (NTLDR). This is covered by KB320397, a patch for XP SP1 that was later built into XP SP2, but the issue still seems to occur despite the fix.
You can resolve this in one of a few ways:
If you have a bootable third-party defrag tool, it may be able to defragment the NTFS Master File Table (MFT). If it provides this option, you should be able to boot into Windows again once it has done this. Note that the Windows built-in defrag tool will not work, as it doesn’t support defragmenting the MFT.
If your PC has a floppy drive, and you have a spare floppy and another PC with a floppy drive, you can use the Microsoft bcupdate2.exe utility. Download it from this link, and copy it to a bootable MS-DOS floppy. If you need to make an MS-DOS floppy, you can right click A: → Format → check the “Create an MS-DOS startup disk” box, or use Bootdisk.com’s MS-DOS 6.22 floppy. At the MS-DOS prompt, type bcupdate2 C: and press Enter (assuming your Windows installation is on drive C:). Once you return to the A:\> prompt, remove the floppy and press Ctrl-Alt-Delete to restart.
If you have a bootable Windows PE CD/USB drive, such as Hiren’s Boot CD, and it’s compatible with the hardware you’re using, you can repair this without additional tools. Browse to your C: drive, then sort by Date Modified. Click the first folder with a long, random name, then scroll to the last folder, hold Shift, and click that. Make extra sure you have only selected folders named with a long, random hash, which will look something like “8a3df9adb37cd66105f9c2”. Cut (Ctrl-X) the selection, then find somewhere else you can put them (perhaps make a folder on your desktop in C:\Documents and Settings\MyName\Desktop), and paste (Ctrl-V). Then, open a Command Prompt (likely from the Start menu), and run chkdsk C: /r. This will perform a full repair, which can take a long time.
What about Windows 95, 98, Me, and NT 4?
To explain this, here is a quick history of Windows Update:
Version 3: Windows Update started life as a program called Critical Update Notification Tool (a very unfortunate acronym), which would nag you to open the Windows Update v3 website to download applicable updates for your system. Not all that intelligent - it was just a website that downloaded a massive (for the time) file listing every update ever released by Microsoft, filtering out the updates irrelevant to your system within the Windows Update website itself.
Version 4: A total overhaul of how Windows Update works. Windows Update evolved from just a standalone file to a protocol, where the PC and the Microsoft server compare notes and figure out which updates are applicable to the current system. Included with Windows 2000 and XP, and installable as an update to Windows 98, Me, and NT 4. Also introduced Automatic Updates on 2000 and XP.
Version 5 and 6: Windows Update v5 provided some major refinements to v4. Windows Update v6 added support for updating other Microsoft products along with Windows itself (confusingly named Microsoft Update), and is the most current version to this day. Included with Windows Vista right up to Windows 11, and installable as an update to Windows 2000 SP3 and XP RTM.
Legacy Update works because we’re lucky enough that the Windows Update v6 protocol is pretty much the same today as it was when the v6 protocol was first released around 2005. It seems unlikely that Microsoft will completely discontinue Windows Update for 2000/XP, though as I discussed in the introduction paragraph, Microsoft has taken a very destructive approach to discontinuing services for old versions of Windows, right down to deleting legacy downloads and knowledge base articles from their servers, so that’s still an issue to be concerned about.
Given Windows Update is a protocol, and not a website Wayback Machine can easily scrape and archive, I’m concerned that this means the legacy Windows Update servers and the updates/drivers they provide are lost to time. Some, but not all, of Windows Update v3 has been preserved by the Wayback Machine, so I’m looking into what I can do there.
So the answer, pretty much, is that I’d love to support as far back as Windows Update itself has existed, but it may be quite a bit more significant undertaking than Legacy Update has been so far due to Microsoft’s intent to move on from its past. I’m still positive it can be done though!
What do you store when I use this?