How to update Win7 that has been offline since 2015

Topic

New Reply

I have a big ASK.

I have a Windows 7 machine that I haven’t turned on since 2015. It was right in the middle of that mess with Windows Update – it took hours and hours to update Windows 7, if it updated at all. In the midst of that we moved. I boxed that PC up and didn’t unpack it until last weekend. Still haven’t turned it on let alone connected to the web.

I want to resurrect that machine. I’d like it to be Group B – security only updates. I don’t want the spectre and related updates. I also wish to avoid the modern telemetry add-ons. I just want my old Win7 machine up and running securely.

Now to the big ASK! What steps should I take to bring this machine back to life – albeit a mostly secure if not fully updated life?

Thanks in advance, RamRod.

Reply | Quote

Replies

I’d start by hooking it up without an internet connection and firing it up to let it finish whatever it was doing.
Then I’d back it up to an external disk via a bootable CD/USB.

You can try the WSUS Offline update utility to get it to a point where it’s ready for connection to the internet. http://download.wsusoffline.net/

cheers, Paul

1 user thanked author for this post.

Steve

Reply | Quote

For a fix to the Windows 7 Update lock down look here:

Win7 Windows Update once again taking forever

WSUS Offline as suggested by Paul T also works great and is much faster then Windows Update. But the above fix sould at least get Windows Update going in case you need it.

W10&11 x64 Pro&Home

Reply | Quote

This site keeps updated list of servicing stack updates and rollups required to get you back to life.

http://wu.krelay.de/en/

Never Say Never

Reply | Quote

He is going to update Group B – no Rollups

Reply | Quote

Plus the Windows 7 general update search issue has really. really been fixed two years ago. It’s been fixed to the extent you won’t be able to reproduce it right now – no matter how hard you try.

Regards, VZ

Reply | Quote

Some of this you may already know, but here goes.

Four Topics you might want to become familiar with before you start are:
https://askwoody.com/2017/new-directions-for-win-7-and-8-1-patching/
https://askwoody.com/forums/topic/group-b-win78-1-missing-updates-hiding-rollups-security-only-patches/
https://askwoody.com/forums/topic/group-a-win-7-and-8-1-might-be-missing-updates-if-dont-hide-unwanted-updates/
and
https://askwoody.com/forums/topic/what-issues-can-result-from-hiding-a-windows-update/

The following is MY recommendation – not gospel, just the way I would do a Group B install from 2015 forward. Others may have a different method.

Some of the settings external to Windows Update and in Windows Update that I use are found here:
https://askwoody.com/forums/topic/new-directions-for-win-7-and-8-1-patching/#post-139072
Set them before you go online if they are available. Some will not be available until after updates are installed.

If your intention is to avoid the Meltdown/Spectre mitigation as a Group B patcher, you should stop updating with the December 2017 Security-only patches because after that even the Security-only patches have M/S mitigation. This is going to leave you vulnerable for other exploits as well as M/S. My recommendation is to go ahead and bite the bullet and be fully patched. If you have AMD, you also need to be alert to that in the first three months of 2018 if you go ahead and patch to current.
I would not install .NET 7 or above unless you need it for a particular application.

Check to see if these are installed, if not download KB3020369, KB3138612, KB4490628, and KB3172605 for your bitedness (from another computer).

OFFLINE:
1. Open Administrative Tools\Services. Highlight Win Update Service and at top left click “Stop”
2. Manually install any patches missing from the four downloaded patches in the order above. Reboot.
3. In Windows Update Change settings – CHECK “Give me recommended updates the same way I get important updates,” CHECK “Give me updates for other MS products,” and set updates to “Never Check”

ONLINE:
1. Check for updates
2. If you don’t want the telemetry updates, HIDE the ones mentioned at the top of AKB2000003. You will have to keep watching for these every time before you install updates. Particularly KB2952664.
3. To be sure you get all the necessary updates: HIDE the current “Security Monthly Quality ROLLUP,” check for updates, HIDE the next earlier “Security Monthly Quality ROLLUP,” check for updates. Repeat this procedure until you have hidden the “October 2016 Monthly ROLLUP.”
4. Download and Install manually from AKB2000003, the Security Only Quality Updates from Oct 2016 to current (or stop with the last being Dec 2017 if you choose no M/S) and the latest Cumulative Update for IE11. Reboot wait 30 min. & check.
5. HIDE any other updates you don’t want to install (drivers, anything that has caused a problem with your PC, features you don’t want, etc)
6. Install everything else that is CHECKED in the “important updates” list. Reboot. (I like to do this in batches. (“Updates for Win7,”) reboot wait 15 min. & check, (IE11, .NET 4.5.2 or 4.6.1 ONLY, any additional  “Updates for Win7,” and in the optionals KB2670838 Platform Update), reboot wait 15 min. & check, (any “Update for User-Mode Driver Framework”, Update for Kernel-Mode Driver Framework,” and “Update for ActiveX Killbits”), reboot wait 15 min. & check, (“Security Updates for Win7”), reboot wait 15 min. & check, (“Security Updates for MS .NET”), reboot wait 15 min. & check, (anything else that is CHECKED in the “important updates” list), reboot wait 15 min. & check.)
7. Repeat #5 and #6 until there is nothing left that is CHECKED in the “important updates” list.
9. HIDE any UNCHECKED important updates that you don’t intend to install in the future.
10. Reboot. Wait 45 minutes. Run Disk Cleanup, click “Cleanup System Files,” be sure Windows Update Cleanup is checked, click OK.

 

NOTE: This link is old and meant for a clean install, but the reference this is based on is here.

6 users thanked author for this post.

owdrtn, Steve, Elly, RamRod, GoneToPlaid, woody

Reply | Quote

That’s still the most definitive step-by-step instructions I’ve ever seen. I used it a couple of weeks ago for my “Seven Semper Fi” machine.

Reply | Quote

I suggest a small tweak. After hiding unchecked updates which the user never wants to install, the user should repeat 5 and 6 because sometimes new updates show up after other updates are hidden.

1 user thanked author for this post.

RamRod

Reply | Quote

Before you start, unplug the computer, then open up the computer.  Before you touch anything inside, touch the metal bits to discharge any static.

Now, change the battery on the motherboard.

Check that everything is correctly seated.

Blow out any dust from the fans, ventilation holes and heatsinks.

Put the lid back on.

Reconnect the power and power on.  Good luck!

Edit to remove unsafe operations.

1 user thanked author for this post.

RamRod

Reply | Quote

The power supply should not be plugged in since ATX power supplies always provide power to parts of the computer’s motherboard. I always unplug the power supply. Then I press the computer’s power button to discharge the remaining power in the unplugged power supply. When checking all cables and the seating of all components, I always keep one hand in contact with the metal chassis so that my body is grounded to the chassis.

2 users thanked author for this post.

Elly, RamRod

Reply | Quote

I meant to say that the power cord SHOULD BE UNPLUGGED. Oops!

Reply | Quote

This is a safety issue. I want to echo @gonetoplaid , but also question if this should be trashed.

Please never have power applied when opening a case. I acknowledge experienced builders and experimenters know when to ignore safety to further a project. But to advise this approach for simple maintenance is dangerous.

As GTP mentions, the important part is that there is no potential voltage difference from your fingertips to the items you touch. You must seek to “ground” yourself by being in contact with chassis common. This may or may not match earth ground, that is less important. My biggest goal in replying here is to avoid having utility power applied to any part of a project your cleaning.

“Honest, I had no idea it could go off!”

3 users thanked author for this post.

GoneToPlaid, Elly, RamRod

Reply | Quote

Exactly. You want your body to be at the same ground potential as the bare bones metal computer case. This is why I always keep one hand on the case metal while I use my other hand to touch, install, or remove anything inside the case. If I have to use both hands, then I make sure that a forearm is making good contact with the case metal.

Reply | Quote

I would like to add to the previous advice, this one, learned many years ago as a student of Electrical Engineering, thanks to experiencing multiple shocks and then watching lab assistants already familiar with the problem handle potentially electrified equipment:

Never grab anything that is, or was, or might be, connected to a power supply. Even if disconnected, or turned off, it might still be charged somewhere and have the potential for giving you a nasty shock. (This also applies in dry winter days, when touching objects that might be grounded while one is charged with static electricity collected by walking on, let’s say, a carpet, specially if wearing shoes with rubbery soles).

Instead, touch first the object with the outside of your hand’s extended fingers held together and bent inwards, towards you. At the very worst, you’ll get a shock that will bend your fingers further inwards, towards the palm of your hand and will also cause the hand to retract towards your body. If you were trying to grab the object, the same will happen, except that your fingers, while curling inwards, will grab the object even more firmly still.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I have recently upgraded to an SSD so I am reinstalling Win7 from scratch. I have always been a Group B but was never really sure how to do it efficiently. I am thrilled to find the resources available here. I have 2 questions regarding updates:

1. Security & Quality Rollup for .Net Frameworks – do they contain telemetry? Will I miss important security updates if I hide all of these .Net rollups?

2. Internet Explorer 11 – I never use internet explorer. Is it a security risk to ignore it (hide the update) and stay at the default Internet Explorer 8? Is there telemetry bundled with IE 11 & IE security rollups?

Thanks.

Reply | Quote

The .NET Rollups are considered as safe installs from Windows Update for Group B.

Internet Explorer is an integral part of the OS. Even if you do not use it as a browser, it is used by other processes in the OS. IE8 is insecure. If you are doing a clean install, you should include IE11 and keep it updated to protect from vulnerabilities. The Security-only updates and the IE11 Cumulative Update are available as direct download links in AKB2000003 on this site each month.

If you are doing a clean install, some of the earlier Security-only patches (around Feb 2017) may not install.

1 user thanked author for this post.

SilentNote

Reply | Quote

To remove telemetry see this post.
https://www.askwoody.com/forums/topic/windows-7-updates-to-avoid/#post-350844

cheers, Paul

Reply | Quote

PKCano wrote:

[…] If your intention is to avoid the Meltdown/Spectre mitigation as a Group B patcher, you should stop updating with the December 2017 Security-only patches because after that even the Security-only patches have M/S mitigation.

@PKCano First things first.. I want to thank you for all the the guidances and experience you’ve been sharing with us on GroupB patching W7 & W81 for so long..

I usually manage to figure things on my own with some search and reading, but this Spectre/Meltdown mitigation VS groupB patching got still get me confused … Particularly about the relevence of avoiding installation of Secu-Only patches as recommended on your previous (quoted) post..

As a GroupB patchers (with relatively old and S/M-vulnerable CPUs), I chose to also avoid the current S/M mitigations available…

However, I’m not sure to understand your recommandation to avoid installing any post-dec 2017 monthly Security-Only windows patches, just to avoid the Meltdown/Spectre’s mitigations they contains..

Here’s my point.. From my reading, all of the current S/M mitigations can be disabled from the windows registry entirely.. If that is true.. why skipping any post-Dec2017 monthly security-only patches, which most-likely not contains only Meltdown/Spectre mitigation, but probably many other security resolution not related to Meltdown/Spectre at all as well…

Installing those shouldn’t prevent anyone from removing S/M mitigations afterward..
If so, wouldn’t it be advised to continue installing all of the monthly Security-Only patches just as usual, and instead, neutralize/defuse/remove the patch(KB)-applied M/S mitigations afterward , using either the registry directly.. (or the fabulous Robert Gibson’s “InSpectre” tool, which does just the same.) I’ve tested it personally on a W7 host and a Debian VM Guest (using wine).. both successfully removed all mitigations. All it does is basically applying the Microsoft’s provided Registry manipulations programatically..

That way, GroupB patchers can continue installing all and every Monthly Security-Only Patch as usual, while avoiding all of the undesired Meltdown/Spectre’s mitigations at OS-level (I do apply most Software-level mitigations too) (same for Hardware-Lvl.. ie: I did flash my ROM’s BIOS-UEFI firmware with my vendor-supplied M/S mitigation’s CPU-Microcode update)

Sorry for my english.. and the long post.. but I hope you get my point and provide me with some updated guidance/insight

TLDR:: Why not installing all of the monthly security-only patches as usual (including post-Dec2017), and defuse all of the mitigations afterward ?

thanks !

Reply | Quote

If you feel confident you can disable the M/S mitigations through the Registry, I would say go ahead and patch b/c you also need the other fixes/security updates.
I, personally, am just not confident that the mitigations would be avoided that way if I were trying to avoid them – which I am not since I am fully patched Group A.

Reply | Quote