Security & Legal
Does this make old versions of Windows secure enough for daily use?
No. Legacy Update is intended to help you install security patches Microsoft previously released for your operating system, in addition to enabling access to functionality that has become inaccessible thanks modern internet security requirements. It’s not a replacement for a modern operating system, which includes fixes for recently discovered flaws that are currently of concern.
Current operating systems you should consider switching to for daily use would include Windows 11, Windows 10, or a current Linux distribution. If you’re using Windows 7, Windows 8, or Windows 8.1, you can still upgrade to Windows 10 for free. If you’re using Windows 10 on compatible hardware, you can upgrade to Windows 11 for free. Upgrading from Windows XP to Windows 7, or from Windows 7, 8, or 8.1 to Windows 10, brings you a decade of system-level security improvements, which would not be possible to apply on top of a legacy version of Windows.
Does this let me activate Windows XP with a non-genuine product key?
No, a product key you legitimately own is still required. Legacy Update doesn’t modify the Windows Product Activation or Windows Genuine Advantage features in any way. Rather, it updates Windows’s SSL security settings to enable connections to modern web servers to succeed. This corrects a connection issue with the Windows XP activation server, so you can activate Windows exactly as you would have done in 2014 or prior.
My antivirus tells me LegacyUpdate.exe is infected! What are you trying to do to my PC?
Legacy Update is in an awkward position because it’s not a very commonly downloaded file. That causes AVs to be more vigilant, and use more generic detections. The idea is to err on the side of caution, because the AV vendor doesn’t have enough information crowdsourced from its users to decide whether it’s safe or not.
Some reasons Legacy Update might wrongly flag as malware could be:
- Legacy Update installs an ActiveX control, which is a bit weird to do on modern Windows versions (AVs are, of course, designed for current Windows versions, not old versions like XP),
- Legacy Update changes registry keys relating to Windows Update and the Internet Explorer trusted sites list,
- The Legacy Update installer downloads and executes some programs, which can feel a lot like malware without further information to go by. They don’t exactly realise that these are Microsoft-signed programs being downloaded from microsoft.com,
- Legacy Update currently isn’t signed, so there’s no cryptographic proof of who LegacyUpdate.exe and LegacyUpdate.dll came from (I’m working on getting an Authenticode certificate to solve this).
If your antivirus reports malware, please consider finding and filling out their false-positive report form. For instance, do a Google search for “Microsoft Defender false positive report”. Their engineers will investigate, and should be able to confirm that Legacy Update is safe to use.
Can you add a feature to enable Extended Security Updates for Windows Vista, 7, 8, and 8.1?
While Windows XP (whose support ended in 2014) received extended updates through to 2019 by spoofing the computer as being Windows Embedded 2009 (a specialised variant of Windows XP SP3), this is a very simple registry edit that has no effect on the system beyond the list of updates offered by the Windows Update server. With Windows Vista/Server 2008 and later, an installation of Windows becomes enabled to receive Extended Security Updates (ESUs) by changing its product key to one indicating that an ESU license has been paid for. To me, bypassing this comes down to being a crack for the Windows licensing system, which is hard to justify the downsides of. The following would need to happen to change my mind:
- For Windows 7: End of Windows Embedded POSReady 7 extended support on 8 October 2024, and statistics on global Windows web traffic falling below 1% for Windows 7
- For Windows 8 and 8.1: End of Windows Server 2012 and 2012 R2 extended support on 13 October 2026 (Windows 8 and 8.1 global web traffic is already below 1%)
What do you store when I use this?