News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • A new list of minimal updates for Windows 7

    Posted on September 9th, 2016 at 11:48 woody Comment on the AskWoody Lounge

    If you’re installing Windows 7 on test machines – or re-installing on your trusty old production machine – ch100 has come up with a worthwhile set of patches that you should include (and, by implication, ones you can safely avoid), in addition to all of the Important updates.

    Keep in mind that this is for fresh Win7 installations only.

    Here’s what he says:

    I installed a new VM and did Windows Update with Important updates only.

    I came up with a new list (yes, another one!) which I consider the minimal list of updates for the current state of Windows 7 – before September 2016 patches.

    It may be useful to post it before the major October 2016 Windows Update overhaul to assist your readers to be well prepared for what will soon follow.

    Here it is with full instructions:

    Set Windows Update on Never check for updates and run only manually, at least until the following list is completely installed.
    Install manually in this order first (this is essential on a new installation):


    Next, run Windows Update, still with the setting on Never check for updates and select all Important updates, (not Recommended) and non-security.

    Here is the list of what will eventually get installed as reference:

    KB976902 (this should come with the SP1 ISO)
    KB2533552 (installed previously, manually – if not installed manually, it may come up as “Service Pack 1” which means is the last bit of SP1 and it is correct)
    KB3138612 (Recommended to be installed second manually after KB2533552 and BEFORE running Windows Update to avoid 7.6.7600.320 which is broken and superseded by KB3138612)

    Note: I am actively avoiding KB971033 which I consider Optional, although it comes as Important. I still have to find a current use case for it, because I believe that the original purpose for it, to verify the authenticity of Windows, was largely abandoned. I don’t have an opinion either in favour or against, it is entirely each user’s option what to do with it.

    After installing this set of updates which can be easily verified by anyone by following exactly the steps that I did, the installation should be well-prepared for what is to be installed next.

    I am aware that there are users who do not install any update or any security update (if it ain’t broke…)

    The previous list is for them, and minimal for any reliable Windows 7 installation.

    A few recommendations for those installing patches:

    • Do not install too many updates at the same time, you will run out of physical memory and slow down the process.
      About 10 -20 updates at a time depending on RAM installed, should be OK.
    • Restart when asked.
    • Always install ALL Important Updates non-security and non-recommended. They are the most important updates of all for the reliability of the system. Those are named Critical Updates, although are not labelled as such in Windows Update, only in documentation and WSUS.

    Further updates suggested as useful and minimal for most users:

    • .NET Framework 4.5.2 (or 4.6.1)
    • KB2670838 – Platform Update. This is Optional but becomes Important in the context of installing Internet Explorer 10/11 for which is a pre-requisite.
    • Internet Explorer 11 (Internet Explorer 10 is as good or better, but many web sites are dropping support).

    There are additional updates which are installed automatically with IE10/11.

    • KB982018 – Native support for 4k sector disks
    • KB2852386 – Disk Cleanup add-on for deleting superseded updates (very useful after too many patches installed on the system!)

    Next, go ahead and install everything else!

    Note: The regular end-users should never use Microsoft Catalog or other direct Microsoft download sites for updates, unless fixing something that otherwise cannot be fixed – patches refusing to install otherwise.

    The practice of installing manually is very likely to break interdependencies because some updates come with further hidden updates and this has been happening forever, regardless of the big thing coming October 2016. Just look at the (in)famous patch KB2992611 re-release and there are many more examples.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums A new list of minimal updates for Windows 7

    This topic contains 59 replies, has 9 voices, and was last updated by

     EP 2 years, 2 months ago.

    • Author
    • #35377 Reply

      Da Boss

      If you’re installing Windows 7 on test machines – or re-installing on your trusty old production machine – ch100 has come up with a worthwhile set of
      [See the full post at: A new list of minimal updates for Windows 7]

    • #35378 Reply


      Forget .NET Framework versions 4.5.2 and 4.6.1!

      .NET Framework 4.6.2 for Windows 7 SP1 is the latest version and is found at the MS Download Center (not available from MS Update Catalog nor Windows Update) – links to them here [released 7/20/2016]:

      .NET Framework 4.6.2 web installer

      .NET Framework 4.6.2 offline/full installer

      Also while installing IE11, it installs KB2834140, a fix for KB2670838 and is another pre-requisite patch for IE11. Use the latest available graphics drivers for IE11 and KB2670838 updates.

    • #35379 Reply


      Oh wow… nice work

      will keep a copy for future re installation guide
      (if the activation still works)

      which does your minimal list works on?
      any and all – Home, Prof and Ultimate, Enterprise??

      Thanks ch 100 for testing and sharing 🙂


    • #35380 Reply


      Thanks ch100
      but i think this is below-minimal list 🙂
      while KB3138612 solves the high cpu/ram usage issue for WU scan, it doesn’t solve the long search issue
      rollup KB3172605 is a must 🙂

      KB2533552 also should join the updates-to-hide list, along with telemetry stuff
      it’s completely useless with the presence of KB3020369

    • #35381 Reply

      AskWoody Lounger

      Please clarify the statement “Next, go ahead and install everything else!”.

      What is the “everything else”?

    • #35382 Reply

      AskWoody Lounger

      I use WSUS Offline and just run it, reboot when ask, and re-run it again until it says “Nothing further to do!”. Usually takes a good hour and 5 reboots to finish. Then, I use Windows Update to check for more updates, and there usually are quite a few, but it’s usually 20-30ish.

      Reason I like doing it this way is because you have the updates locally so you don’t have to re-download them if you’re doing several machines at once.

      Good thing about WSUS Offline is that they have never added any of the questionable or sketchy updates related to GWX or telemetry, so you can trust it to install only legitimate updates.

    • #35383 Reply

      AskWoody Lounger

      Awsome piece of work if any of you want to update an image “offline” using DISM this is the “hit list” of no,no’s
      kb2506143 (stops DISM dead ie doesnt skip”
      kb2533552 (follow the above inst not DISM)
      kb9710033 (useless fluff extra time and download)
      NOTE this is not the definitive list (works for me) only off line servicing/DISM. Once again 2 awsome articles to while away an on call weekend waiting for the phone to ring 🙂 or is that 🙁

    • #35384 Reply

      John in Mtl

      What about using the method that calls for the “Convenience rollup for Windows 7 Service Pack 1”, KB3125574 ?

      There was a specific sequence of KB’s to apply to a new windows 7 SP1 installation: KB3020369, KB3138612, KB313992, KB3145739, KB3125574 (pseudo-SP2) and KB3153171. Then KB3156417-May 2016 update rollup for Windows 7, etc…

      Is this not valid anymore? Just wondering because I made a new install yesterday and am pondering which way to go, trying something other than my usual AutoPatcher routine.


    • #35385 Reply

      Da Boss

      If you’re going to be in Group A, you might as well install all of the unchecked updates. You’ll be getting them next month anyway.

    • #35386 Reply


      Works on all editions of Windows 7 with Service Pack 1, although I tested only on Windows 7 Pro and Enterprise 64-bit.
      They are actually the list of “Important” non-security, non-recommended which serve purely a reliability purpose (they are “fixes”) and do not “secure” the system or add new features. Different things are broken without them, while not everyone would notice immediately. There is a KB associated with each I believe.
      All those patches in the list should be on all systems, new or old, even if there are additional patches installed.
      One exception from the rule, if any of the patches becomes superseded, then obviously it is OK to have the newer patch installed instead.
      The other exception is for those systems which have the Convenience Pack “SP2” installed which I think supersedes some of those in the list. At this stage I am not in favour of installing the Convenience Pack, which is good, but the inter-relation with the other patches is inconsistent. This will change only if the pack will be published on Windows Update and become public for everyone in which case will become the new official baseline. I think this will happen soon.

      MSRT is flagged as Important, but being Security related, I did not place it in the list. MSRT in fact is an Update Rollup patch, category which seems to have had a lot of people running scared recently. MSRT has been an Update Rollup for ever, since its original release.

      A special note for KB2533552 which is the first fix released for Service Pack 1 itself and as such should be installed first. There is another reason for this. The supersedence between KB3020369 and KB2533552 is not handled correctly in 64-bit only and both should be installed. Onlty that if the order of installation is reversed, the first one mentioned would refuse to install (manually at least).

    • #35387 Reply



      KB3138612 resolves the long scan for new installations as much as KB3172605. Both should be eventually installed, but the first one is the MUST, at least from my experience and also how it is flagged by Microsoft. Dalai is right about this. And there is a reason, both update 7.6.7600.320 which is broken. However they do not supersede each other entirely and both should be installed on a fully patched system.

      KB2533552 is not useless, the supersedence is handled differently for 32-bit and 64-bit systems. It appears useless if installing manually or from WSUS on 64-bit, but not if installing from Windows Update where it comes as “Service Pack 1” in the list, if not installed. It is the last bit of SP1 which was not shipped with the original release of SP1. Check on WSUS for SP1 files and you will see that it is in the package. It is likely in the Catalog package too, but you have to download the Service Pack first and decompress. On 32-bit they are separate and not flagged as superseded. I don’t know which one is correct in fact, but it is harmless to allow Windows Update to handle both of them as Microsoft may update their metadata eventually to make the behaviour consistent.

    • #35388 Reply


      … if you belong to “Group A” which I have always recommended. 🙂

    • #35389 Reply


      If you do multiple machines, you should consider doing a “master” image with all patches and “sysprepped”.

    • #35390 Reply


      The other list is valid, but serves a different purpose.
      My list is what I consider minimal for good functionality (Operating System fixes, flagged as such by Microsoft, not discovered by me) and does not addresses any of the security, telemetry or other concerns.
      I replied about the Convenience Rollup few times. That patch is exclusively for IT Administrators and never released public. Until it is not on Windows Update, it is not for everyone, unless they can live on their own and design their own system or have direct support agreements with Microsoft.

    • #35391 Reply


      This is site is less targeted to those using enterprise methods of deployment, although it addresses those issues sometimes and I find this very useful, as anyone, regardless of existing technical knowledge, has something more to learn. A lot of readers here may get confused about DISM servicing and its quirks which you already mentioned a few.

    • #35392 Reply


      I know about 4.6.2, but it is still early days. It is not on Windows Update and even 4.6.1 has few issues with existing software, although this is visible in general at the server applications level. For those reasons, I tend to consider 4.5.2 the most stable, still supported version.

    • #35393 Reply

      AskWoody Lounger

      Was wondering the same thing.

    • #35394 Reply

      Da Boss

      The best source for patching-related stuff for Enterprise is Susan Bradley’s mailing list.

    • #35395 Reply


      I tried to subscribe to that list few months ago, but it seemed not to be very user-friendly for new subscribers, or I was missing something in the process. I will give it a go again that you reminded us of that mailing list. The information found there is really top class.

    • #35396 Reply


      KB3138612 doesn’t solve or affect the long scan issue
      it only reduce the cpu/ram usage consumed during the scan
      win32k.sys for the specific month is enough to solve the issue temporary

      KB2533552 is included with SP1 as separate companion update
      but it’s completely replaced by KB3020369, bit-by-bit
      so if you consider KB2533552 the last bit of SP1, then KB3020369 already cover that last bit

    • #35397 Reply

      John in Mtl

      Hi Ch100,

      Could you elaborate a bit on “serves a different purpose” ?

      Although I’m not in IT per se, my work life involves a lot of configuring of windows machines for A/V purposes and being around computers since the days of CP/M (yep, I’m getting old, LOL), I’ve always administered my personal machines “the IT way”; meaning careful reading and weighing the pros and cons of installing something. I mostly get my updates and patches by **every other means except Windows Update** (all disabled on my 6 boxes), so I’m no stranger to doing things manually or in unconventional ways.

      I always follow pretty much the same routine for building new boxes – install OS, install drivers, use AutoPatcher to selectively install OS patches, install the usual software, etc. It has worked out very well for me since the days of XP.

      I’m just now wondering if things can be improved, as in “why install 200 patches when 20 will now do”; hence my interest in using the convenience rollup **as a test run**. I could test your method in a VM as you have a very good reputation of knowing what you’re doing, around here. I do know of the pitfalls and prerequisites for using the rollup and frankly, I’m not too keen on using it either, seems a lot of hassle.

      What you propose though, makes use of windows update, kinda slow compared to the way I usually do things, although great for the “average” user (no disrespect to you all).

      And by the way, thank you for your valuable input and discussions here on Woodys’ blog; I’m sure you’ve helped a whole lot of people here get their systems running well.

      And thank you, Woody, for all your research and sharing of your knowledge and enlightened opinions.

    • #35398 Reply


      Am I correct that KB2506014 is for 64 bit systems only and not for x86?

    • #35399 Reply

      AJ North


      Many thanks, ch100 & Woody; this exactly what I was hoping to find! (And the comments are a welcome and worthwhile augmentation.)



    • #35400 Reply

      Da Boss

      If I recall, it uses an ancient mailing list subscription process – listserv.

    • #35401 Reply


      I think you are right. I mentioned in another reply that I tested only on 64-bit systems.

    • #35402 Reply

      AskWoody Lounger

      yeah i do apologise may be its best to let WUD take its course (suitibly shackled) an addendum kb2506143 is no longer on offer account has net4 dependancy where win7 base image only has net35 WTG M$! and kb9710033 should lose a zero and looking at some of the “cmd strings” for DISM to work are still daunting to look at. This list is probably out of date as the last image i did was err june?? – May?? as there have been no major M$ “faux pas” since i assumed everything was ok in the win7 dept. (dangerous assumption i know):(

    • #35403 Reply

      AskWoody Lounger

      Autopatcher’s pretty good its been a bit “buggy” when i have used it but does the job. As Ch100 says thats the bare minimum for a good working system. The last count of windows updates was well north of 200 for a clean install probably the same for AutoPatcher. as far as i remeber the april convenience roll up Kb3125574 still leaves you a “chunk” of updates (roughly 60-95) but has to have kb3020369 preinstalled to work, you can lesson the burden by 4.6.1 or 2 & ie11 as standalones (.exe) from the desktop (ie11 downloads its own 5 updates as precursers and is quicker than using WUD) but if memory serves me you can do that with autopatcher (cant recall wether it downloads ie11 as a .cab file or as a standalone) there really isnt a quicker way all told i guess your call “keep it lean and mean” or go for the full update OBTW kb3125574 is fully “snoop” enabled 🙁 hope this helps.

    • #35404 Reply


      KB971033 is weird one. It is offered unticked although important, but it is not offered at all to other enterprise tools like WSUS. This may explain why is not working with DISM either, as it is not targeted to managed networks, but rather to standalone computers.

    • #35405 Reply


      This list serves a different purpose in the sense that it is for those who don’t do any security updates, take a calculated risk, but want the best functionality out of Windows. This is what the Important non-security updates are, strictly functional and most critical fixes.
      The Convenience Pack goes one step further, including ALL non-security patches, including Recommended and Optional, or at least what Microsoft decided to bundle, as some are still left out.
      There is no harm in adding other patches to my list and it is quite recommended. My list is only what I consider minimal to have a functional OS, ignoring enhancements or security updates since Service Pack 1.
      I made this list because there seems to be a common point of view that Security Updates are all that is needed to be installed to have a Windows 7 installation in good shape. This is incomplete, as in addition to Security Updates, all Important Updates should be installed.
      I know that some people in other geographical areas will say things like they don’t need the Egypt DST cancellation patch or the Azerbaidjan currency update and so on. Those patches are actually cumulative updates (rollups) which contain all previous updates and by not installing the new updates which are flagged as Important, the scanning time for svchost.exe is increased due to additional calculations required for the superseded patches, which normally would be cancelled by the rollup.
      So, please install everything that comes under Important. There are excuses for the recommended or Optional patches, but never for Important. They are part of the baseline.

    • #35406 Reply


      I am happy that it is useful 🙂

    • #35407 Reply


      You can try by yourself installing only KB3138612 and I would say KB2533552 (optional) and KB3020369, although this is not a pre-requisite, can be installed during the update stage.
      So, install Windows 7 SP1 from ISO, then KB3138612 to avoid installing 7.6.7600.320 from Windows Update and run Windows Update.

      I have no problem at all with KB3172605, just saying that KB3138612 which is flagged as Important does the job as well and some people may just not want to install Optional updates or have problems with Intel’s Bluetooth. I personally consider that KB3172605 should be installed.

      In the light of your analysis done by comparing KB2533552 and KB3020369, I will re-assess my recommendations and consider KB2533552 as obsolete/susperseded, hoping Microsoft will also rectify their suprsedence metadata, which at least for 32-bit seems to be incorrect.

    • #35408 Reply


      I checked the list of files from KB3020369 and KB2533552 according to the latest version of the KB articles for each. It appears that the files are identical and as you say, KB3020369 replaces bit by bit KB2533552. Both are Servicing Stack updates, first one fixes SP1, while the second one fixes a lot more after 4 years from the first one. However, there seem to be some quirks related to the incorrect metadata at some level.
      If trying to install KB2533552 after KB3020369, it will not install. However Windows Update would still offer the old one.
      The good people at MDL also found the same unusual behaviour in relation to DISM installs and this is related to an old post done by abbodi1406 🙂

      “It seems to work only for Win7 x64 !

      I tested on x86 too:
      KB3020369 integrated, WU is still asking for KB2533552 (and since a couple of month for some components of SP1).
      KB3020369 not integrated, WU is asking for KB2533552; installed KB3020369 on the running system, WU still asks for KB2533552.”

      and further

      “abbodi already write down the Windows6.1-KB2533552-note :

      Servicing stack update KB2533552 has been superseded with new update KB3020369

      but WindowsUpdate still require KB2533552 to be installed in order to be satisfied
      and it will show KB2533552 as Important update in 2 entries: KB2533552 and KB976932 (SP1)

      it’s your choice if you want to ignore this update or install it from WU”

      So yes, I agree with you in relation to the old posts and it is true today in 2016, the later servicing stack update completely supersedes the old one, but Microsoft has not resolved the metadata issues that they have had in relation to those 2 patches after 16 months.

    • #35409 Reply

      AskWoody Lounger

      cant recall having dealt with it @ work but its on the work “hit list” and come to think of it i dont think its in the april cumm. update. thats how “hi-tech” we are post it notes under glass with various kb’s scribbled down in various styles of heiroglyphs if it shows up better to hide i would imagine even if your conscience is clear its another potential level of woe your just installing hence my scathing comments earlier once again good article to digest over a dry weekend pls pls not next weekend its going to be a “riotous one” 🙂

    • #35410 Reply


      “The practice of installing manually is very likely to break interdependencies”

      So automatic updates will produce a more stable system?

    • #35411 Reply


      To Woody: It’s just my humble opinion, but Microsoft appears to not have changed their stance on Windows 7 and it’s users. They appear to have changed the playing field to “We will prevail”. They have just about taken our control away from us, not entirely yet, but before the next three years are up, Window 7, will be a useless piece of computer platform. I am seeing less articles on ‘how to keep our windows 7 running’ and more articles on ‘how to make our windows 10 work’ for us.

    • #35412 Reply

      Da Boss

      It’s always been that way. The press tends to run after the latest and greatest.

      In our defense, there’s very little about Win7 that hasn’t been explored very thoroughly.

    • #35413 Reply


      It is about the right combination. Install in a controlled manner from Windows Update. Installing from Microsoft Catalog or from the download site which is currently in the process of being discontinued, ideally should only be an exception, when some sort of repairing is required and there is no other option.

    • #35414 Reply


      Internet is a fluid thing, it is the nature of the beast. Just look at how Chrome has overtaken IE and Mozilla in the browsing habits of the Internet users in a relatively short period. You cannot expect Windows 7 today to be the same that it was in 2009 and still be functional.
      The real issue is that Windows 7 should have been the “last desktop OS” and maintained properly, but Microsoft is a business and not a charity and this fact has consequences.

    • #35415 Reply


      How should a Win7 user treat this list if they are pre-disposed to accept only security updates but willing to consider other updates if they fix something of substance? (For the sake of discussion, @ch100, I’ll accept your definition of “substance.”)

    • #35416 Reply

      Da Boss

      That just isn’t an option, starting in October.

    • #35417 Reply


      This list is in addition to Security Updates. It actually does not have to be as complicated as to follow my list or any other specific list. Just select all Important Updates coming on WU which are Security, Critical (my list) and few rollups like MSRT or timezone updates.

      As Woody has already mentioned, this is likely to change soon.

    • #35418 Reply

      John in Mtl

      Thanks for the clarifications, CH100.

      @bobbyb: Autopatcher did have some bugs earlier this year, seems they are mostly pretty much all worked out now. BTW in Autopatcher IE11 is an .msu file; you doubleclick and it uses WindowsUpdate (installer or client, I dunno!) to install itself.

      As for the Convenience Rollup (KB3125574), a.k.a. pseudo-SP2, I gave it a whirl this weekend on my laptop that I was rebuilding. After having set WindowsUpdate to “Check for updates but let me choose…”, I installed the prerequisites (KB3020369, KB3138612, KB313992, KB3145739) then rebooted. I then starting the install of the rollup (KB3125574), and waited, and waited, and waited, and…

      Logn story short, despite an updated WUAgent (KB3138612), svchost gobbled up 50% cpu and RAM usage kept going up and up; and nothing was happening for at least 1 hour. Not being patient with windows installations any more, I gave up at this point and killed svchost and windowsupdate services. That meant extra work: had to wipe the Software Distribution folder and start all over again. In the end, I loaded my trusty AutoPatcher and off I went. A few hours later I had a brand new up to date system and imaged it for safekeeping.

      Since about 5 security updates would not install (they should have, and were applicable to my platform and config) and I did some very selective patching (I read every non-security KB title and a bit of the descriptions to see if I really needed a particular patch); it begs the question: Is MS really convinced that patch fragmentation is a big problem and is one of the main reasons they are revamping the updating process, abandoning the “old KB” system?

      I sure ain’t convinced (and never was!)… the new build I made runs flawlessly, as far as I can tell from using it all day, installing some programs, trying out lots of built-in OS functions and features, etc. I build most of my systems the way I described above (selective patching) and never, never, in years, encountered a problem that I could attribute to not having installed all the patches MS issues.

      Of course, come october, like everyone else, I’ll have to rethink how I do things. Meantime, for safety, I keep a very big repository of all individual KB’s. Its a good thing hard disk space is cheap these days; I’ve been collecting everything since the days of win98.

    • #35419 Reply


      Just went thru the hidden updates that have on this win 7 Desktop and out of about 47 or 48 there seem to be more Office 2010 than security for win 7. Enter each individually on internet and each had an explanation of purpose so far I am doing business as usual until October 1st and I haven’t decided on either “A” or “B”. Thanks to both of you for your help, all the rest of commenters on these forum pages.

    • #35420 Reply


      That’s what i said, KB3138612 will not fix the long search issue
      either temporary win32k.sys workaround, or the permanent rollup KB3172605

    • #35421 Reply

      James Bond 007
      AskWoody Lounger

      I don’t care what Microsoft thinks or believes. I just know that I don’t want Windows 10 at this point and I will keep using Windows 7 for as long as possible, even past the support deadline if necessary.

      I have one question : You said KB3172605 and KB3138612 are both needed. Can they be installed in any order? If I installed KB3172605 first without installing KB3138612, can I install KB3138612 over it without affecting the fix for long scans? Or do I have to remove KB3172605 and then install KB3138612 and KB3172605 in that order?

      Hope for the best. Prepare for the worst.

    • #35422 Reply

      James Bond 007
      AskWoody Lounger

      And, is KB2533552 really so important that it has to be installed first?

      I am currently rebuilding my Windows 7 virtual machines from scratch and I just install KB3138612 / KB3020369 / KB3172605 in that order. Then proceed to run Windows Update. KB2533552 will be eventually installed. I see no problems so far.

      Hope for the best. Prepare for the worst.

    • #35423 Reply

      James Bond 007
      AskWoody Lounger

      I performed a test using a virtual machine with 2 CPU cores and 4 GB RAM (in Windows the usable amount is 3GB).

      Windows 7 Ultimate 32 bit (Traditional Chinese)

      (1) Install KB3138612 / KB3020369 / KB3172605 in that order, then start Windows Update and choose to install about 100 updates

      (2) Install KB3020369 / KB3172605 in that order (omitting KB3138612), then start Windows Update and choose to install about 100 updates

      In both cases the maximum CPU load is about 50% (of 2 cores) and the maximum total memory consumption is about 1.9GB.

      This is just one test but I do not think the result will be very different if I install other language versions of Windows 7. 64 bit Windows 7 will require more memory to complete the installation but with or without KB3138612 I believe the memory consumption will be more or less the same.

      My conclusion is that KB3138612 is NOT required if you already have KB3172605 installed.

      I had rebuilt a number of my Windows 7 virtual machines from scratch, using KB3172605 and omitting KB3138612. After seeing your post I had doubts whether that is correct but now I am convinced that I am right.

      I agree with you, though, that we should not try to install all the ~220 updates in one go. Not only will it consume large amounts of memory, but in my experience it also increases the chances of some updates failing to install.

      Hope for the best. Prepare for the worst.

    • #35424 Reply


      I would suggest that the patches which did not install were superseded by newer patches already installed.
      As for the slow scanning, maybe applying in advance the patches from here would be useful.

    • #35425 Reply


      Someone has to archive stuff in general, but this is a big undertaking! 🙂

    • #35426 Reply


      It is a long story in relation to KB2533552 and KB3020369.
      The later one, KB3020369 is completely superseding KB2533552. This was pointed to me by abbodi86 and verified by me.
      Technically you can avoid completely KB2533552. The only reason that I recommended to install it first is to avoid Windows Update from complaining, because for some reason this was missed in the Microsoft detection mechanism. It may eventually be corrected at some stage by Microsoft if KB3020369 is reviewed and re-released, which would not be unusual.
      In terms of functionality of the system, KB3020369 is the only one needed and completely replaces KB2533552.
      KB2533552 is needed only for cosmetic reasons if this is a concern.

    • #35427 Reply


      “My conclusion is that KB3138612 is NOT required if you already have KB3172605 installed.”

      For the purpose of scanning, only one of them is required. However from my observations, Windows Update will install the other one eventually. I don’t know if this is a case of missed detection like in the previous discussion or they just supersede each other only partially, as the detection mechanism seems to indicate.

    • #35428 Reply


      Aaaargh! Woody, I’m getting confused. I’m in Group B Minus. I’ll try the security-only updates for a little while, but if it doesn’t work for me, I want to have a fallback – either no patches to Win7, or Win7 offline and use Linux online.
      I thought this was the perfect resource and had started downloading the patches for later potential use if a machine needed rebuilding in the future. But the comments suggest this isn’t the list I need. Or is it?

      What I want to be able to do is to recreate a working, secure Win 7 Pro, from clean install with the original disks (2009/10) and manually applying the updates needed to achieve this. Am I in dreamland, or is this a viable project? If not, apologies and please ignore this message.
      Thanks to all for the enlightenment (and occasional confusion)

    • #35429 Reply

      John in Mtl

      Yeah, I had completely forgotten about trying that out first! Oh well, next time!

    • #35430 Reply

      James Bond 007
      AskWoody Lounger

      You can hide KB3138612 if you do not wish to install it (in that case various older versions will come up in Windows Update all the way back to KB3065987, I hide them all).

      From my observations as long as you have KB3172605 installed you do not need KB3138612 or any of the older versions.

      Hope for the best. Prepare for the worst.

    • #35431 Reply

      James Bond 007
      AskWoody Lounger

      I am now reinstalling Windows 7 Ultimate 64 bit (Traditional Chinese) on an old desktop computer with an Intel Q9550 CPU and 8GB RAM.

      I installed KB3138612 / KB3020369 / KB3172605 in that order, then started Windows Update and choose to install about 100 updates.

      The maximum CPU load is 25% (of 4 cores) and the maximum total memory consumption is about 4.1GB.

      That proves conclusively, to me at least, that the KB3138612 “fix” isn’t very effective in reducing the memory requirement of Windows Update. On a machine with 4GB RAM running Windows 7 64 bit you will not be able to install 100 updates from Windows Update without running out of memory.

      Hope for the best. Prepare for the worst.

    • #35432 Reply


      The amount of consumed RAM varies, depending on how much available
      without KB3138612 or KB3172605, WU might take the whole 8GB 😀

    • #35433 Reply


      I used ch100’s method to set up a new Windows install on a test machine on Sept 9th (32-bit Win7 Home Premium SP1).

      After the initial install of the important updates (non-security and non-recommended), KB2670838, IE11, and .NET 4.5.2, I went ahead and installed all the rest – security, recommended, etc. (did NOT check anything that was not already checked under optionals or important). Windows Update search was fast for the over-two-hundred updates, probably because I installed KB3138612 manually before starting.

      However, when I ran the search today after MS released the Sept patches, it was back to the search-forever thing. After about an hour and a half of search, I finally set it to “Never search,” stopped the WU Service, manually installed a fresh copy of KB3172605 and rebooted. After waiting the 10 minutes to start the search, it took about 1 minute. So it seems Windows Update is broken again this month if you have not already installed KB3172605, which did not come up in the important updates when I did the install on the 9th. It was an unchecked optional then.

      Strangely enough, it showed up again as a checked important update in today’s patch search, even I had just installed it manually. I went ahead and installed today’s patches on the test machine, and it installed again. It shows up twice in the View Update History.

      My conclusion is, we may still have a broken Windows Update.

    • #35434 Reply

      James Bond 007
      AskWoody Lounger

      Yeah, without the “fix” it is probably even worse. But the “fix” itself doesn’t seem to be very effective.

      Anyway, what I am trying to say is that if you already installed KB3172605 manually, then KB3138612 is no longer necessary since with or without it the memory consumption is more or less the same.

      Hope for the best. Prepare for the worst.

    • #35435 Reply



      these updates I have not installed and set to hidden

      W7 PRO 64BIT HERE





      KB2952664-W10 pesterware

      KB3133977- Asus Board Related for Secureboot(bad patch)




      KB3184143-W10 PATCH REMOVER- dont have any W10 patches

      KB3185278- Unsure if I should install or leave off.

      I was wondering if any of these I should install because I read that some break certain settings etc.

      This site is great just I believe it needs a forum setup. Definitely a Bad and Safe Database need to be established in a separate area that can be seen at all times as WordPress is disorganized.

    • #35436 Reply

      Da Boss

      Two good points.

      I haven’t set up a forum because working with it would take an enormous amount of time. I’m already spending something like half of my working hours just on this web site – I need to start generating some income from it.

      As for a database – thought about doing a wiki, but there’s no “good” or “bad” in the patching biz. Many shades of grey. The database would be huge – more than a hundred new entries every month – and it would be changing constantly, often due to unique PC configurations.

      If I had a staff of a hundred I could probably do it, but it’s only me and us chickens.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: A new list of minimal updates for Windows 7

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: