DIY Service Pack For Windows 2000/XP/2003

Karsten Violka writes "Looking for manageable Windows updates even without an internet connection? Heise's script collection Offline Update 3.0 downloads the entire body of fresh updates for Windows 2000, XP, or Server 2003 from Microsoft's servers in one fell swoop and then uses them to create ISO-Images for CD or DVD. Included is an intelligent installer script that allows you to update as many PCs as desired." Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

yeah, that's real safe

Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

yeah, that's just so terribly safe compared to not having it...except that now there will be like a million fake isos floating around the internet saying they're the latest batch of windows updates and people who are too lazy to make the iso themselves will install the fake, spyware and trojan infested ones.

Already been done in a better form

Its called Autopatcher and its WAYYYY sexier. Lots of installable extras and sexy registry patches to make windows life easier.

http://www.autopatcher.com/ [autopatcher.com]

Re:Already been done in a better form

I've been using Autopatcher for quite some time now, and I'm quite happy with it. It also has some extra utilities that it will install if you select them, and the ability to make various UI tweaks. I find it is a nice way to install everything on a new PC. I download the latest version, write it to a CD and take it to the new PC. The new PC never has to be connected to the internet to get the latest MS updates.

Well Einstein

1) Who says that you must download it from an unpatched PC?

2) The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?

3) What else will we whine about now... the versatility of Macintosh hardware?

Re:Well Einstein

"The probability that an unpatched PC behind a firewall will get "hacked" in the moment while you are downloading it is what... 0,2?"

I would say your second guess of 2 is closer than your first of 0... shall we split the difference and agree at 1?

Re:Well Einstein

Home desktops aren't usually behind firewalls.

That may have been true 10 years ago, but these days most home PCs are at least behind a NAT. Unless you've gone out of your way and configured your NAT to forward all ports to your PC (i.e. a DMZ), outside attacks will be quite useless. The only threat in this case is the user downloading a virus from email, or visiting a compromised website. If you run windows update (well, several times) before you do either of those things, there's no danger.

Re:Well Einstein

That may have been true 10 years ago, but these days most home PCs are at least behind a NAT.

Umm, I'd have to disagree with that statement. Around here the biggest provider of internet connectivity for home users is Roadrunner. They provide you with a cable "modem" that acts as a bridge between their network and your PC. The PC gets a globally valid address.

In fact the only Roadrunner home users I know (not counting geeks/techies) that have NAT routers are those that have more then one computer. Otherwise it's right into the PC and come and get it boys cuz I'm wide open!

Re:Well Einstein

Your average interface-jockey can certainly plug the thing into the cable modem, and plug his computers into the lan side.

I want your users. I lost internet access three times last year because some dumbass down the hall plugged his router in backwards and was trying to NAT the whole damn building.

Re:Well Einstein

Well, the safest thing to do it to simply turn the computer off, remove the CPU, dig it in the yard and lock the rest of the computer in a safe.
Although, script kiddies might still be trying to infect it...

Does MS offer this

Does MS offer a cd with patches? Even for download (or would that violate DRM/DMCA/DigitalDarkAges laws/technologies)?

I know Apple offers their patches as download, complete with SHA1 sig.

Re:Does MS offer this

This site should be "within the limits" of that TOS simply because they don't provide the software. He just provides a tool which you can use to download it from the official Microsoft site, and the TOS doesn't say anything about how you download them, just where you download them from.

Autopatcher, on the other hand, provides the actual software, which is explicitly prohibited by the TOS you mentioned. He has this hilarious line in his FAQ:

Q: Is AutoPatcher legal?
A: Yes, nwraptor once spoke to a Microsoft employee and apparently they know about us but dont care what we do!

Now that's legal advice you can hang your hat on!

Corporate Windows Update

This sounds like a useful script. I know people who manage Windows Updates for corporate networks, and they've mentioned these sorts of ISOs before. Effectively, it allows an admin. to read the KB articles on microsoft.com and pick-and-choose which updates to make available to the corporate network. There's a lot of updates! A backup ISO of the updates you've chosen to make available allows you to easily rebuild the update server if anything happens to it, and to build update servers for other networks based off work you've already done.

As to circumventing WGA: it's already been circumvented for XP SP2. You actually have to download and run the WGA executable to destroy a cracked XP SP2 install (Windows Update doesn't push it to you). Vista may be a different story though.

mandelbr0t

Danger?

Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

A "danger" that is eliminated with a rinky $25 NAT router.

Re:Danger?

A NAT in front of your windows box does do a lot to prevent trouble while you're patching up a new install. As long as you immediately get up to date (before using the machine for anything else) then I'd think this is fine. The problem is people who rely on a NAT device for some sort of security *in place of* security patching. Many exploits work just fine through NAT if you're actually using the machine to surf the web or read email, and way too many people seem to not understand this.

autopatcher has been doing this for a while now

i keep a up-to-date copy for my dialup friends, which most are.

Autopatcher! [autopatcher.com]

Or just buy the firewall you should have anyway

Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

Or you could just buy the firewall you really should have anyway and be done with it. Seriously, I can't imagine anyone would try to argue that it's acceptable to put a server out on the net without a firewall in front of it, so why should a desktop PC be any different? That way you get to protect your unpatched Linux box too.

Re:Or just buy the firewall you should have anyway

Perhaps the key difference is this:

I can put an unpatched RedHat Linux system on the public Internet and download patches without worrying about it. In fact, I routinely use such systems AS the router/firewall for other systems!

If you hear people around here saying things like "Windows is insecure and/or isn't really ready for the Internet", that's because it's true, or you wouldn't need that stupid $25 router in the first place!

The fact that you can't even imagine a server without a dedicated firewall in front of it speaks volumes.

Great idea but...

Hasn't this one already been done with AutoPatcher? I am still gonna play with this and see how it compares. AutoPatcher works fairly well, usually there are only a few items left to download after starting with a fresh install of SP2. For one, something like this that automates downloading the patches to be installed on multiple computers really helps out with the time it takes to patch a system. One download vs the 7 I will be doing here in a little bit is nice. Also along these lines is Update Accelerator for IPcop. Basically, it's a web cache for Windows Updates. You download the updates once, it stores them on the IPcop system and they are delivered from IPcop in the future, makes things take a lot less time and it's free (minus some old hardware and time).

nLite

I've been using nLite [nliteos.com] and RyanVM's update pack [ryanvm.net] to do this for a while now. Great stuff, even works with my Dell OEM version of XP.

nlite

nlite does almost the same thing and is much more flexible and easier to use

http://www.nliteos.com/ [nliteos.com]

Check out RyanVM too

For anyone interested in this sort of thing, you might also want to check out RyanVM:

http://www.ryanvm.net/msfn/ [ryanvm.net]

This allows you to produce updated Windows installation CDs, that actually have the service packs and post-service pack hotfixes *already integrated into the installation*. This saves the extra time normally taken to install Windows *then* go apply all the updates.

Is this the kind of stupid comment that gets...

...a Windows zealot slagged for saying "How are you supposed know how to configure support in *nix if you can't get on the internet to do it?" Seriously...

"Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates." - Who the heck said you should connect the unpatched machine to the 'net to grab this stuff? FFS, I bet ol' Karsten would go to town of the Windows zealot for playing stupid. ;)

Good idea for some applications...

This is a useful tool for my particular environment where we use RapiDeploy to re-image boxes. The image gets a little stale and we have to go through a quarantine network before our Cisco Clean Access authenticates us--we're essentially in a leper colony while we're trying to catch up on patches. It's a bit of a catch 22.

Having the patches on hand would really help when we don't have a little router on hand on field calls.

Yes but...

Yes but no Polish (or any other than few) language version is supported. So it is useless for me.

It just shows how retarded update management is in Windows. It is like 10 years behind Linux and 5 behind OSX. And Vista is no different either.

Wish they would do this for Linux Distros

I wish the big Linux distros would start doing this. Being unable (or unwilling) to patch a linux box without a broadband connections is one of my biggest pet peeves with the current crop of distros.

What about Microsoft?

I wonder what Microsoft thinks about this, right now I'm downloading updates that I wouldn't be able to get since I don't use a legal version of their software.

Thank you :D

Stop with the "unpatched PCs are insecure" rubbish

Anyone with any knowledge of security knows that if you deploy a NAT router/firewall between your unpatched PC and the Internet, whether a simple £50 box in a home environment or behind a DMZ in a corporate environment, then that PC, whether running Windows, Linux or any other OS, is pretty safe as long as you don't run any services out onto the Internet with it and don't do too much else with it. And if you run an Internet connection without one of these in place then more fool you...

On a Windows desktop PC behind a firewall, you are vulnerable to scripts and viruses that it come in from emails, documents & web pages but if you stick the PC on the network and don't use it for any of those things *until* you've put on all the updates, then nothing is going to happen to it. So let's get rid of this stupid notion that the moment you put an unpatched PC on a firewalled LAN, it's going to get swamped with viruses and rootkits - it just won't happen.

No, I'm no Microsoft fan but let's stick to facts rather than "science fiction" FUD stories...

Re:Stop with the "unpatched PCs are insecure" rubb

> These are not SF FUD stories. There are a lot of people who: > - don't know shit about security > - don't know shit about patching > - own USB xDSL modem or connect to *untrusted* network with wifi or something similar (do you carry a $50 router with your laptop?) > - use computer to Just Work With it - as a tool - you know

I agree - but I've set up a number of these NAT routers recently for friends and colleagues, and apart from some simple configuration for ADSL accounts (and some wireless security if needed), these things now work pretty much out of the box. They are a whole heap of good security for little cost that are easy to setup - and protect you from about 90% of the bad things out there on the Internet the moment you switch them on.

And for your information, I carry round a Linux laptop with a fully locked down kernel firewall that I *carefully* open up as I need to if I'm on an unprotected (un-NAT-ed) Internet connection. :-)

> And Windows is not uber-user-friendly there. In fact I think you need to be relatively skilled to set up XP so it is relatively secured. Not > something your mom or dad (I assume) can do with their computers.

I agree again - which is why I recommend a NAT router to anyone I know with ADSL; and if they refuse to buy one, I refuse to offer them any help when their PC goes wrong! :-)

> MS made some stupid decissions few years ago and now they pay the price. This is not FUD. People do not have the latest Vista and so on. Some of them > use 5 year old computers since they tend to work for them.

Again, I agree. But, if anything, Windows 9x didn't have a complete enough IP stack to allow much to be run in the way of services out to the Internet - so it could be argued that unpatched and out of the box, a 9x machine is more secure than XP.

> I can surely install old version of Linux distribution or OSX and do not get infected in 10 minutes after connecting to untrusted network.

It depends on what's out there. Before I moved house last year, on my old ISP I ran an SSH (Secure Shell) server out to the Internet and my log files were filled with scripted access attempts against the server - just pounding away at my server with common account names hoping that one of them would allow entry.

Yes, a secured Linux server is always going to be more secure than a secured Windows server but please don't get complacent about it - it just takes one stupid mistake on either OS and someone will get into it.

Re:encountered (again) another win box without NAT

With *BSD, it's entirely possible to set up a low-level firewall that offers just as much protection as NAT without actually doing any address translation. It does this by monitoring the traffic at the packet-level, and can be configured to block certain ports, to ignore all unrequested traffic, or any number of QoS-type monitoring/filtering features that are a royal pain in the ass to set up on a NAT box. Really, the biggest advantage of NAT is that the DHCP allows you to have more than one computer on the network. (granted, that's a pretty big advantage).

There's even a howto on NetBSD's website that explains exactly how to go about setting such a box up.

But you're right... generally, it's easier to go with NAT in the long run.

Re:Stop with the "unpatched PCs are insecure" rubb

PCs behind a NAT router should be given "private" IP addresses - either fixed ones or DHCP assigned ones. These private addresses are in the ranges 10.x.x.x, 172.16.x.x to 172.31.x.x, and 192.168.x.x.

Since every directed IP packet on the Internet contains the sender and receiver IP address, any Internet router that sees a private address in either the source or destination address will drop the packet and not route it. Consequently, no-one on the Internet can get to a PC in the private address range - not only that but there are probably thousands of PCs using anyone of those private IP addresses at any moment in time.

The trick of a NAT router is that when one of your PCs connects through the router to the Internet, the NAT router substitutes the private source IP address in each packet coming from one of those PCs with the real IP address on the Internet side of the router. So when a response comes back from, say, a web server one of your PCs is accessing, the response hits the router's Internet IP and the router puts the private IP address back in to send it back to the right PC.

It is possible to forward incoming connections to the router onto a PC in the private address space but this feature has to be manually configured on the router and is turned off by default.

So, yes, you can still download a nasty email or script from a server on the Internet, even with a NAT router in place - but then you just don't use a PC for those purposes until you've fully patched them.

Does it *really* matter?

They say one of the benefits of doing this is updating older systems because of the worms spreading the internet. Does anyone who is working with a windows system and needing to install updates (and one who knows how) even directly connect any computer to the internet? In this day and age, I'd bet that nearly everyone is behind a firewall already.

Danger! Danger!

Sounds like a great idea, given the danger of putting an unpatched PC on the Internet to download security updates.

Right. That's of course if you don't have of one the following:

1) 3rd party firewall on the box
2) the OS's firewall (who says you're installing without an SP?)
3) a hardware firewall
4) a home router/switch that does NAT for you (and of course a home network that's not 0wn3d)
5) IPsec policy on the box preveting connections to the ports
6) File & Print sharing + naughty services turned off.. (anyone out there??)


Yea so those are all pretty good... #6 not being full proof but definitely highly recommended regardless. These CDs might be a good [neat] idea. Then again why not just setup your own WUS box and get your patches from your local LAN while not routing out. That way you can save time, touches, and bandwidth!! wowzers.

Installed patched OS, same as old OS

In Capitalist West you burn cd for unsafe consumer operating system.
In Soviet Union unsafe CIA operating system burns you.

Re:Installed patched OS, same as old OS

One of the best "In Soviet..." jokes I've ever seen, for those not in the know, it refers to some US made technology, most famously pipeline control software, the soviets stole in the early 1980s which was carefully designed to pass QA tests, then go haywire. Suffice to say, the plan worked, and in fact produced the largest non-nuclear explosion seen from space when it took out a large natural gas pipeline in Siberia. A version of the story here [fcw.com].

Dangerous to put an unpatched machine on the net?

    Well, it can be, but doesn't have to. Behind a decently-configured firewall, the machine can download patches without any connections from the outside getting through. YOU might ruin things by initiating connections to non-trusted sources, but that's your fault, not the OS. Of course, the security of other machines on the same network is important, but it's easy enough to maintain a seperate, firewalled network for "fresh" machines, or any sort of machine you're not sure of.

steve

Alternate Windows Update method

I prefer UpdateHF.vbs

Once you've installed Installer 3.1 and BITS2 , it downloads and installs all the updates from the Windows update site

http://www.wsus.info/forums/index.php?showtopic=68 31 [wsus.info]

Security is about "survival of the fittest"

In response to some of the comments in this topic, a lot of the people on here need to be aware of the fact that OS security is a *process*, not a *goal*. Whether you run Windows, Linux, FreeBSD or whatever, it is very dangerous to assume that just because you have the latest updates installed alongside the latest virus checker, that you are "secure" and can just then sit back and relax.

The unfortunate fact about OS security is that it is a case of "survival of the fittest". It's pretty safe to assume that as long as there is an Internet, then there will be crackers out there trying to break into PCs that sit on the Internet. From their perspective, if they crack open a PC then they are happy and that the longer it takes them to break into a PC, the more likely they are to just give up and try another one.

Consequently, the more "walls" you put in the way of a cracker, the more the chances that you'll reach the limit of his abilities & make him give up. So security is all about doing *multiple* things against attacks - disabling well-known account names, using strong passwords, deploying software firewalls *AND* NAT routers, turning off unnecessary services, tightening the configuration of needed services to only allow certain hosts to access... these are all *ADDITIONAL* steps to just applying software updates.

Sure, a lot of these processes are tricky for new users but a lot of them are also very simple to deploy - and any of those that you do deploy put you one step ahead of the people who don't deploy them and who are, consequently, put at more risk from attack by crackers.

Concept is great, execution is poor. ERRORs

I just tried it, selected Windows 2K english, per selected platform. It instantly pops up a CMD window with a wget error:

Starting download (v. 3.02)
Copying Microsoft registry console tool...
Downloading Microsoft ifmember tool...
Can't timestamp and not clobber old files at the same time.
Usage: wget [OPTION]... [URL]...

ERROR: Download failure.

Press any key to continue . . .



Looking at the components it's not clear if there's an erroneous parameter passed to wget or something, as several things are less then obvious-- what the error means, exactly what wget command it's trying to run, etc.. No log file in sight... Not looking good...

no room for discs....

that's all fine and dandy, but we may have to wait for these [slashdot.org]

use your Mac to download the updates

Then reboot in Windows to install them.

Someday there will be threats to the Mac OS, so you can download the Mac updates from the Windows half of your Mac...

NT4 Revised Service Pack 6A

I made a service pack 7 for Windows NT some while ago, but it is still in late alpha. When this installs, it does so as "Revised service pack 6A". Still, i use one further patch file to deliver updates, like the 2k3 NTLOADER / NTDETECT.COM, sol.exe and cmd.exe from Windows 2000, and a few other "fixes".

There are, none the same, a number of useful projects to slipstream fixes etc into both OS/2 and Windows.

One might for OS/2, try UPDCD, and compare this with the various Windows versions: NLITE, HFSLIP, and USP5 for Win2k. The UPDCD, NLITE and HFSLIP projects are multi-versions, while USP5 is for 2000 only.

Windows 3.1 did not check any files, and one has always been able to update the stuff. I managed to add all of the fixes to PC-DOS 6.31, once one gets a hold of compress.exe v 1.0.

Do these qualify as SP2 versions for Boot Camp?

One of the things that has been putting me off from trying Boot Camp is that I have to re-purchase Windows XP to get it with SP2 on the disc (the machine I used this copy on has been decomissioned for now and I haven't built a replacement). I'm wondering if doing this would produce a disc that would work with Boot Camp or Parallels?

XP SP3 / Vista SP1

XP service pack 3 and Vista SP1 Beta can be downloaded here [ubuntu.com] then installed offline. Remember to choose the "alternate install" ISO.

Trust him? Do you know what Heise is?

Who do you refer to, exactly? Heise? Heise is not a him, it's a big (and trustworthy) publisher of computer magazines in Germany (c't and iX).

Re:Problem with reg.exe

So what's the point of using a reg.exe from the NT 4.0 resource kit? Rename a self extracting zip to reg.exe?

In short, don't play with strange links posted by anonymous cowards...

Jonah HEX

Re:WGA & Patching pirated copies

Yes, there is. Every time MS releases an updated WGA .dll, the pirates release a cracked copy. Shows up all over the place. Download, overwite the files in WINDOWS/SYSTEM32, and presto, no more nags, and you can use Windows Update manually too.

I have a feeling it won't be quite so cut and dried with Vista though.

Re:Trojan Horsey?! Neigh!

In the rush to be first post, you seem to have missed that all the source code to the tools (and even gpl.txt) are included in their zip file. You need to trust AutoIt [wikipedia.org] to build some of them. I see a few binaries that don't have source included, but they're generic ones like mkisofs.exe and wget.exe that could easily be replaced with trusted versions.

Re:Vital...

MS sent out SP2 CDs when it came out to anyone who asked, completely free of charge. They still do it now; you just have to pay shipping. Not to mention MS have *always* offered tools to let you slipstream updates into a custom installation CD.

Re:Not a clever move for MS...

this would be about as bad as going to octoberfest getting BLASTED and then going down the autoban with the pedal to the metal and playing chicken with a semi (or an M1-A1) driving a RABBIT

Re:Problem with reg.exe

REG.EXE is supplied in the Win2k support tools (on the Win2k cd-rom), or in the base install of Windows XP and later.

The reg_x86.exe is actually a winzip file (it can be opened in any zip utility), the relevant file contains reg.exe, along with a readme file (suggesting the file goes to c:\reskitnt). I have been incliding reg.exe in the various update files etc.

Re:autopatcher + nlite

Can you use autopatcher + nLite in tandem? I want to use nLite to customize my windows cd by installing all the applications I use automatically. I want to use autopatcher to apply the updates. How do I do this, what I just said?

You can, but you have to install autopatcher first (I would imagine on the build that you're going to create the "nLitened" install disk), then navigate to the program directory and manually copy the hotfixes (which are in individual folders for each hotfix...) to a suitable single directory location. It will be much easier with this script, though - as they will already be in one location.

You can also add whatever application you want to the $OEM$ folder and create a batch to run them on first boot, but you'll most likely have to remove some of the components from the original cd if you want to put a few things on there (languages and keyboard layouts are best - you'll get about 80 MB). You can of course use one of the presets, but I wouldn't recommend this. I used the "safe" preset once, added my drivers and hotfixes and it removed my IDE drivers - so even though it installed from cd, when I booted into Windows (I only have SCSI and SATA HDs), I had no CD/DVD drives!!!