Does this make old versions of Windows secure enough for daily use?

No. Legacy Update is intended to help you install security patches Microsoft previously released for your operating system, in addition to enabling access to functionality that has become inaccessible thanks modern internet security requirements. It’s not a replacement for a modern operating system, which includes fixes for recently discovered flaws that are currently of concern.

Current operating systems you should consider switching to for daily use would include Windows 11, Windows 10, or a current Linux distribution. If you’re using Windows 7, Windows 8, or Windows 8.1, you can still upgrade to Windows 10 for free. If you’re using Windows 10 on compatible hardware, you can upgrade to Windows 11 for free. Upgrading from Windows XP to Windows 7, or from Windows 7, 8, or 8.1 to Windows 10, brings you a decade of system-level security improvements, which would not be possible to apply on top of a legacy version of Windows.

Does this let me activate Windows XP with a non-genuine product key?

No, a product key you legitimately own is still required. Legacy Update doesn’t modify the Windows Product Activation or Windows Genuine Advantage features in any way. Rather, it updates Windows’s SSL security settings to enable connections to modern web servers to succeed. This corrects a connection issue with the Windows XP activation server, so you can activate Windows exactly as you would have done in 2014 or prior.

My antivirus tells me LegacyUpdate.exe is infected! What are you trying to do to my PC?

Legacy Update is in an awkward position because it’s not a very commonly downloaded file. That causes AVs to be more vigilant, and use more generic detections. The idea is to err on the side of caution, because the AV vendor doesn’t have enough information crowdsourced from its users to decide whether it’s safe or not.

Some reasons Legacy Update might wrongly flag as malware could be:

If your antivirus reports malware, please consider finding and filling out their false-positive report form. For instance, do a Google search for “Microsoft Defender false positive report”. Their engineers will investigate, and should be able to confirm that Legacy Update is safe to use.

You can refer to VirusTotal results for more detailed info on how AVs detect Legacy Update. If you have the time to set up a build environment, you can always build from source.

Can I deploy Legacy Update to the network of PCs I manage?

While Legacy Update will likely do what you want, I’d rather you make use of Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) for this task. These are tools built for the job of update deployment to domain PCs; Legacy Update is really intended for single-user, home, or hobbyist PCs not in use on a domain. At any rate, I’d rather not encourage widespread use of legacy Windows in a corporate environment.

If you choose to ignore this and deploy Legacy Update anyway, please be sure that the privacy policy is not in conflict with regulations your company must abide to.

Can I bundle Legacy Update with my custom Windows iso, program pack, etc?

Yes, but I request that you please ask the user for permission to install Legacy Update, so they have the opportunity to be informed that a third-party will be in between their PC and the Microsoft official Windows Update servers. A link to the privacy policy would be appreciated wherever it would be appropriate to display one.

Are there any command line switches I can use when installing Legacy Update?

Here are the switches supported by Legacy Update setup:

/SSilent installation. Displays no UI and proceeds with default configuration. If a restart is required, Legacy Update setup will exit with error level 3010. The Legacy Update website will not be opened after installation completes. (Case sensitive - the flag is a capital S, not lowercase.)
/norestartDon’t restart automatically. Instead, a dialog will prompt you to restart (unless /S has also been passed). This will also prevent Legacy Update setup from creating a temporary administrator user account on your PC so it can resume unattended after restart. However, it will still register itself to continue the setup the next time an administrator logs on.

Can I install Legacy Update offline?

There currently isn’t a straightforward way to install Legacy Update offline, as it assumes you have an internet connection to download additional components from Microsoft as needed for the Windows configuration you’re running it on. In future, I’d like to add a feature that allows you to pre-download these components for fully offline installation.

Am I using up all your bandwidth when I use this?

Not at all, please feel free to install as many updates as you like. The updates themselves come directly from Microsoft servers. The website of course is hosted on my server, but employs Cloudflare edge caching, so you’re in fact rarely sending traffic to my actual server.

When you check for updates, the Windows Update protocol traffic is proxied through my server, so that it can be downgraded from modern encryption to something old Windows can understand. All the server currently does is pass through exactly what your machine, or the Microsoft server, sends, with no processing beyond that. This traffic isn’t small, but it’s also not really big enough for me to be concerned about either. It’s well below the monthly bandwidth limit I’m allocated by my host.

You can, of course, still send a tip my way via GitHub Sponsors or Patreon to support the server fees - I won’t say no to some extra support and motivation!

Why is it slow?

Windows Update is a complex protocol, and applying updates is an elaborate juggling act to ensure only the correct updates are applied, and in the right order.

When you check for updates, Windows and the Windows Update server compare notes on what’s installed on your system, and therefore which updates are applicable to you. Because there are thousands upon thousands of updates, this is a very long, slow process, heavily tied to your CPU’s single-core performance, and hard drive/SSD read performance. If you watch Task Manager while you check for updates, you might see svchost.exe, wmiprvse.exe, and TrustedInstaller.exe (on Vista and later) using up an entire CPU core. This is the Windows Update Agent evaluating the configuration of your computer so it can let the Windows Update server know which updates it needs to see. Old PCs can take minutes to complete this stage, while a VM running on your modern laptop should fly through this in a few seconds.

While installing updates, you may feel a slowdown on lower-end PCs due to the volume of hard drive write activity. If you have a small amount of RAM in such a system, and a fairly slow hard drive, this can really hurt the system’s ability to use the hard drive as swap/pagefile space. This will clear up once the updates finish installing.

I installed a bunch of updates and now my PC doesn’t boot (e.g. I get “NTLDR is missing”). What now?

It seems that the latest version of the Windows Update Agent installer, when run on Windows XP Home Edition, triggers a limitation of the Windows 2000/XP bootloader (NTLDR). This is covered by KB320397, a patch for XP SP1 that was later built into XP SP2, but the issue still seems to occur despite the fix.

You can resolve this in one of a few ways:

What about Windows 95, 98, Me, and NT 4?

To explain this, here is a quick history of Windows Update:

Legacy Update works because we’re lucky enough that the Windows Update v6 protocol is pretty much the same today as it was when the v6 protocol was first released around 2005. It seems unlikely that Microsoft will completely discontinue Windows Update for 2000/XP, though as I discussed in the introduction paragraph, Microsoft has taken a very destructive approach to discontinuing services for old versions of Windows, right down to deleting legacy downloads and knowledge base articles from their servers, so that’s still an issue to be concerned about.

Given Windows Update is a protocol, and not a website Wayback Machine can easily scrape and archive, I’m concerned that this means the legacy Windows Update servers and the updates/drivers they provide are lost to time. Some, but not all, of Windows Update v3 has been preserved by the Wayback Machine, so I’m looking into what I can do there.

So the answer, pretty much, is that I’d love to support as far back as Windows Update itself has existed, but it may be quite a bit more significant undertaking than Legacy Update has been so far due to Microsoft’s intent to move on from its past. I’m still positive it can be done though!

What do you store when I use this?

Refer to the privacy policy. Please don’t hesitate to reach out to me if you have any concerns with it.