News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • Canadian Tech: How to rebuild a Win7 system with minimal snooping

    Posted on November 17th, 2019 at 09:31 woody Comment on the AskWoody Lounge

    For those of you who need (or want) to rebuild a Win7 system, but don’t want to get stuck with all of the “telemetry,” Canadian Tech has a detailed checklist that covers what you need and what you don’t. I’d appreciate your comments.

    Remember that we don’t know what data Microsoft scarfs with its telemetry updates. I have a sneaky suspicion that it’s not very different from the telemetry in Win10.

    From Canadian Tech:

    Rebuild — Windows Update (September, 2019)

    Windows Update had been a standard of security that was heavily relied upon by scores of Windows users for decades. Applying the once monthly updates became a mandatory ritual that most all Windows owners followed.  Windows Update is by default automatic. For all those decades it worked largely flawlessly.

    Unfortunately, the quality of Windows Updates has fallen off badly.  This has given rise to numerous defective updates that cause a whole range of problems.  Many updates are re-issued, some many times over.

    Coincident with this falloff in quality, starting just after Microsoft ended Windows 7 development (December 31, 2014) and began security-only “support,” Microsoft changed the objectives of these updates from primarily security-only, to feature-related along with security.  The “features” often contain(ed) changes to Windows 7 that some owners did (do) not want.  At first they could selectively reject specific updates.  October 2016, Microsoft changed the way it assembled updates in a way that no longer allows people to be selective. They call this new type of update “Roll-ups”.  These Roll-ups are an all or nothing kind of deal, that includes all manner of “updates” that are largely unpublished. There is a way to get just the security updates, but it is complex and fraught with problems unless you are a serious technician.  Therefore out of reach of most people.

    Best advice is to set Windows Update setting to “Never check for updates.”  Unfortunately, that means Windows Update no longer works automatically, but requires the user to manage the update process.  However, this is the only way to take control of the situation.  Enterprise IT folks have always done it this way.

    If you really must continue to update, in spite of my advice to not do so,  do NOT do updating until the day before the next cycle begins on the 2nd Tuesday of the month. That allows time for most of the erroneous updates to get fixed. Woody Leonhard, a tech writer extraordinaire, operates a web site, which does an excellent job of advising on Windows Update.  It features his MS-DEFCON rating system that tells you when NOT to update, and when to do so.  There is even a section on his web site, that specifically deals with Windows 7 updating.

    The security-only crowd (Woody calls them Group B) was popular at first but by June of 2017, that strategy fell apart because defects in security only updates got fixed in the “roll-up updates.”  So, that made security only updating impractical for all but the most technically competent.

    Woody’s recommendation is that Windows 7 owners should stick to Group A, which just accepts all Microsoft roll-up updates and simply allows whatever changes Microsoft decides to make.

    Another group, Group W, of which I am a member, simply does no further updating.   That group has decided the risk of not applying updates that could immunize your system from some disease, hacker or virus is a lesser risk than applying updates and allowing your system to become something you would not buy if you had a choice, or risk having defective Microsoft updates fouling your working system.  Of course this strategy includes some other choices that become far more critical:  A very good antivirus program, switching to a browser that will be updated and therefore be more secure, and the acceptance that the January 2020 date that Microsoft has set for the end of updates for Windows 7, has already come.

    At this date, I support 122 Windows 7 systems, and have for 16 years now.  None of these are enterprise systems, just home PCs.  All systems have a major Anti-virus product that I have selected.  Most have switched to Chrome browsers, which no longer requires the security problem prone Adobe Reader, Adobe Flash Player or Java.  These three programs are needed by Internet Explorer, but not by Chrome, and are a common hacker/virus attack vector.  The fact is that the Chrome browser is now in use by more than 2/3’s.   None of these systems have versions of Microsoft Office any more recent than 2010.   None of these systems has had Microsoft updates since May, 2017. That is 30 months now.  Not a single one of them has had a problem of any kind.  In fact, my support activities have fallen off by at least 75% as these systems have become so stable and reliable that problems just do not occur.  Most of my work is now hardware maintenance.

    When I re-build a system, I follow a very specific process of updating.  Note well that I do not apply any updates after May 2017:

    Please remember to do a very complete backup of your data.  Use the Windows Easy Transfer tool (part of Windows &) to create a special file that includes most of your data and all the myriads of settings you have done to personalize your system.  Be prepared to re-install application programs that you want.

    • Use a Win7 install disk with SP1.  This disk need only match the product type (home, pro, etc.) an bitness (32 or 64) of your Microsoft Product Key
    • Select Custom, not Upgrade
    • Switch to advanced and Delete all partitions. Only one logical partition – C:, which will be created by the installer.
    • After install, install network drivers if not installed already. Then activate.

    Do NOT install anything until all Windows Updating is completed.  Not even antivirus.

    • Set Windows Update to Never
    • Download and install either one or two updates manually.  ***Note exception below if not starting with SP1 disk.  In most cases only the first (KB3138612) of these is needed.  If that produces a result that says the update is not appropriate for your computer, you need to first install the 2nd of these (KB3020369), then install the first (KB3138612).  Choose the one that is for your machine — 32 bit (X86) or 64 bit (X64).


    32 bit,

    64 bit



    32 bit

    64 bit

    • Switch from Windows-only updates to Microsoft updates
    • Reset Windows Update setting to Never
    • Start Windows Update
    • When a list of updates is offered (likely nearly 200 or so), refuse the following updates by right-clicking on them and choosing hide

    Anything labeled Roll-up, with the exception of .net roll-ups

    Any update that is NOT described as “Security” whose issue date is later than December 31, 2014.  That is the date Windows 7 development ended.

         Any update that is labeled Security that is  dated after  September, 2016

    Any Office update whose issue date is later than May 2017, displayed on the right

                    You do not want any optional updates

    *** If you cannot find an SP1 install disk, the step where the 2 specific updates (KB3138612 and KB3020369) described and linked above does not get done until the updating process installs SP1.

    • Install any missing drivers, using drivers downloaded only from the OEM support page.

    Install the following Security-only updates for October 2016 through May 2017

    You can find an excellent guide on this topic at:

    You do not need to restart until all these updates are completed.  When you do restart, it may take a while to process it and get back to your desktop screen

    • October, 2016 KB3192391:

    64 bit:

    32 bit:

    • November, 2016 KB3197867

    64 bit:

    32 bit:

    • December, 2016 KB3205394

    64 bit:


    • January, 2017 KB3212642

    64 bit:

    32 bit:

    • February, 2017.  There were no updates this month
    • March, 2017 KB4012212

    64 bit:

    32 bit:

    • April, 2017 KB4015546

    64 bit:

    32 bit:

    • May, 2017 KB4019263

    64 bit:

    32 bit:

    • May, 2017 IE update KB4018271

    64 bit:

    32 bit:

    Microsoft Office:  install in the usual fashion, then run Windows Update again.  Do NOT install any Windows update of any kind.  Un-check each and every one of them.  Then carefully go through the Office Updates offered.  Simply select the first with one click, look to the right for the date of issuance.  If that date is later than Mayy, 2017, un-check it.  Then proceed to the update process.  In other words, you only want office updates that were offered prior to June 2017.

    After Windows 7, system drivers and all updates are installed and any stable applications like Microsoft Office are installed and updated, and before any data or dynamic applications are installed such as antivirus software, create a system image.  It will take 3 or 6 DVD +Rs (not -Rs) and about an hour.  When you are done you will have a very nice bit of insurance.  Should you ever again need to re-build a corrupted system or replace a hard drive, you will have a precise duplicate of your system as it is at this point.  You can restore that image to a hard drive in 20 to 60 minutes.  Creation of System Image is found in your menu under Maintenance, Backup and Restore.

    Another great feature about creating the image is that you do not need an install disk or a product key to do the re-install the next time, all your drivers will be installed and you will have saved yourself all the time you put in this time, and have a complete functioning system.

    You will, in fact, have a final-state Windows 7 installation which could run on this particular computer as long as the computer hardware itself holds up and the software  you prefer is still usable. Your system will already be activated and you will not need an install disk or Microsoft Product Key again.  In fact, Microsoft could evaporate, and your Windows 7 system would still function just fine, even if you had to install a new hard drive.

    I emphasize the need for PLUS R DVD blanks.  Do not use the more common MINUS R DVD blanks.

    • Install software, ending with antivirus software.
    • Then copy your data into the newly created system.
  • Patch Lady – 7 patches are getting prepared

    Posted on November 6th, 2019 at 16:30 Susan Bradley Comment on the AskWoody Lounge

    Microfix spotted in the catalog a catalog only patch to test for the ability to accept extended support patches for Windows 7.

    The update

    The patch points out the necessary parts:


    You must have the following installed on your on-premise device before you apply this update:

    1. Install the following SHA-2 code signing support update and servicing stack update (SSU) or a later SSU update:
      • 4474419 SHA-2 code signing support update for Windows Server 2008 R2, Windows 7, and Windows Server 2008: September 23, 2019
      • 4490628 Servicing stack update for Windows 7 SP1 and Windows Server 2008 R2 SP1: March 12, 2019
    2. Install the following servicing stack update (SSU) and monthly rollup:
      • 4516655 Servicing stack update for Windows 7 SP1 and Server 2008 R2 SP1: September 10, 2019
      • 4519976 October 8, 2019—KB4519976 (Monthly Rollup)
    3. Install and activate the ESU key. For information about how to install and activate the ESU key, see the How to get Extended Security Updates for eligible Windows devices blog on the Microsoft Tech Community website.Note After activation, you can then continue to use your current update and servicing strategy to deploy ESU through Windows Update, Windows Server Update Services (WSUS), or whichever update management solution that you prefer.

    Everyone should have received the SHA-2 and servicing stack update in part 1.  Everyone by now should have (or are real close to) installing the servicing stack and rollup.  But note, that patch is not a security only patch, it’s a monthly rollup patch that is mandated.   I don’t remember if we’ve determined if that monthly rollup has telemetry stuff in it or not, but certainly those of you on the security only path – we will have to do a bit more digging into that.

    Finally the ESU key – and the ability to purchase the ESU key won’t be known until 12/1/2019 when it goes on the sku pricing list.  Hang loose for that last piece as I will be (attempting) to purchase 1 and only 1 copy of a Windows 7 extended support.

    Stay tuned, more to come.

    [edit]  PK points out in the comments:  Windows 7 Security Monthly Quality Rollups have had the KB2952664 functionality (Compatibility Appraiser) included since Sept. 2018. Rollups are cumulative. KB4519976 is a Rollup

    My follow up comment:  I guess one can always go in and ensure you disable the tasks that turn on telemetry?

  • Dedoimedo: Straight talk about Windows 7

    Posted on October 30th, 2019 at 06:41 woody Comment on the AskWoody Lounge

    I don’t agree with everything in the article, but @EP just pointed me to a remarkably well-written and, in my opinion, highly accurate guide to the end of Windows 7. Igor Ljubuncic, on his Dedoimedo blog, doesn’t mince any words:

    If you have a Windows 7 machine, you can continue using it past the operating system EOL date. I’ve laid down the recipe for good security, the hardware will work as long as it lasts, and the software won’t just vanish. You will have time to adjust, and this should coincide with hardware replacement. Once that happens, you should definitely leave Windows 7 behind, and get a modern up-to-date operating system to match the capabilities of your new machine.

    If you’re going to stick with Win7, he has a number of common-sense recommendations (and observations!) that ring true with me.

    I disagree with him on some nit-picking points:

    • I don’t like EMET because it borks too many programs that otherwise work just fine. You can try it, using his recommended method, but if you get too frustrated, don’t be afraid to turn it off.
    • Igor’s fond of Microsoft Office (or at least tolerates it). By and large, I’ve kicked my Office habit – moved to the free Google apps. Like Igor, I also have editors who need Word DOCXs, and I use Office for those, but I’d likely be just as happy using the free online version of Word. Books are a different story altogether, of course — it’s Word all the way with those. Not my choice.
    • He talks about Linux, but doesn’t touch on the most important Linux implementation for Win7 users — ChromeOS. You’ve heard me say it before, but for most people who aren’t overly concerned about snooping, a Chromebook should be your #1 candidate for a replacement computer. (And if you are concerned about snooping, you have a very long row to hoe with Win7.)

    As Igor says, this advice is for home users — if you’re running a 100-machine network, the considerations are quite different. But I still recommend the Chromebook. 🙂

    You’re going to hear a lot of fearmongering, tales of impending hell fire and damnation, from the mainstream press. Many of the people offering the sermons will have the best intentions. But they don’t know your situation, what you need, what you can afford (time and money)… and, ultimately, what’s best for you.

    Win7’s, uh, transition to EOL is not The End of the Universe as We Know It.

  • Seven Semper Fi: Three months to go; here’s what to do.

    Posted on October 21st, 2019 at 01:15 Tracey Capen Comment on the AskWoody Lounge


    By Woody Leonhard

    Time’s running out! Microsoft’s still scheduled to deliver its last Windows 7 security patches on January 14, 2020.

    If you plan to continue using your Win7 machines, there’s a variety of tasks you should tackle now to minimize the chances of getting thrown under the bit bus.

    Read the full story in AskWoody Plus Newsletter 16.38.0 (2019-10-21).

  • Microsoft wants to sell you security patches for Win7

    Posted on October 21st, 2019 at 01:05 Tracey Capen Comment on the AskWoody Lounge


    By Amy Babinchak

    Given the approaching Windows 7 end of life (January 14, 2020), here’s a surprising development from Microsoft: paid support for all business customers.

    Microsoft is, perhaps, bowing to reality — thousands of businesses are not going to migrate to Win10 before the deadline. Whatever the reason, beginning December 1, even small firms will be able to purchase an Extended Security Updates (ESU) license for their Win7 systems.

    Read the full story in AskWoody Plus Newsletter 16.38.0 (2019-10-21).

  • Announcing the arrival of the Win7 Pro upgrade-to-Win10 nag, KB 4493132

    Posted on October 18th, 2019 at 07:50 woody Comment on the AskWoody Lounge

    It’s official — and I can confirm. If you install the Win7 patch  KB 4524752 on a Win7 Pro machine and reboot a couple of times, you’ll see the new nag screen:

    That shot’s taken from my Seven Semper Fi machine, which is now forewarned about impending doom.

    OK, I’m being overly dramatic – in fact it all looks like a straightforward nag. As best I can tell, checking “Do not remind me again” actually does take away the nag. But there are some oddities — and a couple of registry settings that send my Spidey sense tingling.

    Details in Computerworld Woody on Windows.

  • MS to give small/medium businesses access to Win7 patches after January

    Posted on October 1st, 2019 at 12:50 woody Comment on the AskWoody Lounge

    Chip, chip, chip.

    Jared Spataro, MS corporate VP for Microsoft 365 (note the title) has just posted a reprieve, of sorts:

    today we are announcing that, through January 2023, we will extend the availability of paid Windows 7 Extended Security Updates (ESU) to businesses of all sizes. (Previously, Windows 7 ESU was only available to Windows 7 Professional and Windows 7 Enterprise customers in Volume Licensing.) The Windows 7 ESU will be sold on a per-device basis with the price increasing each year.

    Starting on December 1, 2019, businesses of any size can purchase ESU through the cloud solution provider (CSP) program. This means that customers can work with their partners to get the security they need while they make their way to Windows 10.

    Mary Jo Foley at ZDNet has pricing:

    The price of the ESUs goes from $25 per device for Windows Enterprise users in year one, to $100 per device for year three. For Pro users, ESU pricing goes from $50 per device in year one up to $200 per device in year three.

    I don’t participate in the Cloud Solution Provider program, so I don’t know the precise details. But I have a feeling we’ll find out soon.

  • Win10’s usage share is up — but not by all that much

    Posted on October 1st, 2019 at 07:42 woody Comment on the AskWoody Lounge

    Numbers are out for September usage of the various operating systems. Here’s the Netmarketshare analysis, showing Win7 still holds 35% a little under 30% usage share:

    Of course, my standard disclaimer applies: None of the measuring methods is very good. The only real conclusion you can reach by looking at the numbers is to compare how they change from month to month.

    Still, with four months left to go, Win7 is hanging in there pretty well, eh?