Hacker News new | past | comments | ask | show | jobs | submit login
Windows Update Restored: Fix Windows update on Windows 95, 98, ME, 2000, and XP (windowsupdaterestored.com)
306 points by gslin 7 months ago | hide | past | favorite | 175 comments

This seems like a nice altruistic useful thing, but (given some overly-trusting security practices we still often see) it'd still be good practice to keep some ideas in mind...


1. Running Microsoft Windows.

2. Running out-of-support Microsoft Windows.

3. Running out-of-support Microsoft Windows and having it report itself to a server of unclear provenance and security (which could be efficiently indexing such insecure machines, and possibly even exploiting vulnerabilities during this simple interaction).

4. Running out-of-support Microsoft Windows and updating its system software from a server of unclear provenance and security (which could install malware, possibly even defeating any outdated vendor signing).


* If your important science/medical/industrial/etc. equipment is stuck on ancient Microsoft Windows, probably you want to keep it airgapped and treat it gingerly, while planning to upgrade to more sustainable equipment (and hopefully it doesn't fail abruptly before convenient).

* If you're playing with Microsoft Windows for personal use, that's fine, but maybe consider whether you'd prefer to spend your time and energy instead learning and creating atop an open source software platform.

* For many business and personal purposes, Debian Stable is a good OS platform, and this is one installer for it: https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/

I hate windows, like I'm trying to get off it because of the ads/ragebait news. I hate edge. Microsoft is basically a never buy anymore, but according to this:


Getting a Windows exploit is higher value than any linux exploit. Given how many servers use Linux, it makes me wonder if Linux 0 click are easier than windows.

There are a bunch of counters like 'there are too many distros', or 'a personal computer of a VIP is higher value than some corporations'. But I'm not sure its fair to include your point number 1.

I like to give people credit where its due, I imagine it took lots of work to make windows as secure as it is. (Giving Android OS the most credit for their 2.5M payout)

Linux servers generally aren't being used interactively though and expose a fairly limited attack surface to the internet, and so I feel like the value in Linux server exploits is more in the openssl/Apache/etc vulnerabilities

Linux is the just kernel. Everything else in a distro is software running on top of it. Kernel bugs are generally hard to exploit remotely and typically have to be chained with other exploits. That's why there's so many specific payouts for common enterprise apps. Windows is a complete, highly integrated OS with a wide array of attack vectors baked right into it.

Plus sketchy companies like Zerodium major customers are nation-state actors who are primarily interested in data exfiltration and the application data stores themselves.

>Kernel bugs are generally hard to exploit remotely and typically have to be chained with other exploits.

This is why its so valuable though.

But what’s the point ? Most vulnerable Linux servers are hosting blogs or dns servers. They’re only useful to run a crypto miner or host a phishing page, and for that you probably don’t need to go further than exploit a wordpress bug. No need to go for the kernel or even root.

Whereas a desktop often has users on it who enter banking details or corporate login credentials. Much juicier targets.

Can be a good DDoS source, lots of bandwidth often. Bonus if they can spoof packets, which needs root.

The payouts are based on what their 'clients' are willing to pay in turn for the exploits. There's just less of a market for Linux kernel exploits. If nation-state actors are involved in deep APT style attacks where they would leverage low level kernel exploits they are going to either develop the exploits themselves or acquire them through their own clandestine channels. Purchasing that stuff from a publicly facing company that could potentially be compromised themselves is high risk and leaves too obvious of a trail.

Two reasons I think Windows exploits would pay higher than 'Linux':

1. The Windows (end-)user base is much larger than Linux (not counting Android), so a Windows exploit enables more potential victims.

2. Windows has been the de-facto corporate OS for a long time, so a Windows exploit offers more high-value targets.

It's strange to me that Thunderbird is even on their chart. Surely only a few free software enthusiasts use that anymore? Most of the population doesn't even use a desktop email client and if they do its work-provided Outlook to connect to Exchange/Office365.


>Zerodium reviews, tests, validates, and documents all acquired vulnerability research then provides it to institutional clients as part of the

Zerodium only cares about shit their own customers want to target. They aren't trying to fund the entire world of software security.

Their customers in particular are select governments wanting exploits for their own use. You can sure as shit bet they already have specific targets in mind and what they use.

EDIT: For example, the forum software noted on Zerodium's list are popular for "blackhat" and "darkweb" forums from everything from card dump selling to malware. Many governments would love to get themselves a database dump with some user IPs. Conversely, this is why Discourse which is a major BB these days is missing as it's not popular in those circles.

Desktop Email Clients are good for downloading all your Gmail before Google randomly decides to nuke your account.

I'm sure 99% of the population does not use email personally anymore, except for delivery of their Amazon invoices.

Yep. Receipts and notifications. It’s a bad means for communications.

> I hate edge.

It's a thin wrapper around Blink just like Chrome/Chromium. What is there to "hate"?

Edge allegedly manages to be worse at privacy than Chrome: https://apple.slashdot.org/story/20/03/07/0054219/edge-brows...

> What is there to "hate"?

The endless fluff and clutter to clean up (Search bar appearing on desktop, sidebar foistware). The relentless marketing and push of adjacent services (Bing AI).

The passive-aggressive IE compatibility mode (unremovable nag banner to stop using IECM, your Legacy App URLs expire after 30 days for no good reason).

So many ads on the home page.

'turn it off'

I did. But its not intuitive, its some settings button that is semi-transparent. I literally had to google/bing it.

The inital setup was awful.

Then it opening all my links in edge was not okay. I'm signed in on firefox, I don't want things opening in edge.

I can't remember, I gave up after the whole BingGPT thing was a let down.

Compared to Windows, I find that most linux desktop distros have what I would call ‘stability vulnerabilities’ where the user has to tread carefully when doing something basic like updating graphics drivers or applying other updates, or changing resolution. Otherwise they end up with an OS that wont start or will just show a blank screen. I wouldn’t recommend linux for general business or personal use unless this kind of tinkering is enjoyable or you have sufficient IT staff.

There are the same exact problems on Windows though. Microsoft nowadays basically treats it's install base as beta testers and you regularly hear about breaking updates. There are devices out there with funky drivers, most notably Nvidia cards, but if you can avoid those (I know many people can't, me included) and choose a stable distro, I genuinely fail to observe these supposed instabilities on Linux. Personally, I think the real reason why companies are not switching is familiarity. Think of all that money spent on MS product training over X employees. Billions are spent yearly in this industry I'm sure.

Which is why the first thing I do on any Windows install is disable or block automatic Windows Updates and only run them once every blue moon when I've set aside time to waste on borkage.

And before anyone says I'm in danger by running unpatched Windows:


My threat model is such that the time lost and wasted from updates breaking shit is significantly greater than the dangers posed by hypothetical threats those patches ostensibly guard against. Updates are simply and literally not worth my time and concern compared to having systems that just work every day all year long.

If I need to comply with regulations or audits or I am the target of focused attacks, then yes the scales shift the other way. But as a general, and particularly personal, concern? No, updates are a waste of my time.

Linux is even worse because I don't even need to run updates for something to break and waste my time.

Your comment feels like it came straight from 2014's /g/. This is literally "My time is too valuable to do X" argument. But perhaps you don't care. Fair enough. You do you. You are, however, absolutely in danger running unpatched Windows, unless it's an airgapped industrial PC or something similar. Even then, such systems can and were compromised (stuxnet, for instance).

>If I need to comply with regulations or audits I hope you are not handling any customer info on such systems... or are you?!

There seems to be a deeper issue at play. I've seen it many times, even here on HN. So very few people actually know anything about information security, and if they do they only have horrifying misconceptions from god knows where. No wonder why there's so many data leaks when the responsible people have these attitudes.

My time is too valuable to be wasted by god damn updates, because you know what? I'm only getting older, my eventual demise keeps looming closer, and I have so many things I want to do and places I want to go before the grim reaper picks me up.

It's the kind of re-evaluated outlook on life you only get as you grow older and you start witnessing more and more deaths and imminent deaths around you. I'm also dealing with cancer in the family (I'll spare the details), so my time really is too valuable for god damn software updates.

>I hope you are not handling any customer info on such systems... or are you?!

I'm not. Like I said, if my threat model actually incorporates the kind of threats that updates ostensibly protect against, the scales would weigh differently.

Would I keep business computers updated? Absolutely, if for no other reason than so I can make it all someone else's problem. I'm talking about my own personal computers.

That is understandable, and, as I said, your choice. You did mention business use in your original comment though, where I wouldn't say it is, or should be.

On a flip side though, I've seen so many older folks loose so much time and undergo a lot of stress (which may be highly unwarranted for medical reasons) from having money stolen by banking malware, or more recently, good old phishing. It's like a vaccine, we endure a small pain to prevent a much greater one in the future.

Anyway, I hope you and your family does well!

I respect your individual experience but this hasn't been the mainstream situation for many years now.

Back in 2012 I was the Head of IT for an A series start-up with about 80 people and we ran almost all machines on Linux (mostly Ubuntu) and it worked like a charm. We scaled to about 400 people before switching to Chromebooks in 2015 for the vast majority of users. Our IT operations team never had more than 4 FTE at any point in time, which compares very favorably with any other company. This was possible because Linux environments are extremely easy to maintain for a trained IT staff and, obviously, because we mostly avoided the MS Office crapware (which was less crappy back then than it is today). Google Suite served us fine and the rest was custom web-based software.

Today I'm at a different company, no longer in the trenches, and use MS Windows machines for my work and there is not a single week going by without need to call tech support. Adding the counter-productive helpfulness of MS Office applications I sometimes think MS is paid by our competitors to destroy our productivity. That's a "stability vulnerability".

Coincidentally, I ran into one of these this week. I decided to upgrade my bog-standard Debian installation on a headless NAS from buster to bookworm. Should have been easy peasy: Update sources.list and then apt full-upgrade, right?


Half way through, Debian seems to have lost[1] libcrypt.so.1, which everything important in the system relies on. Could no longer sudo (needs libcrypt) from the session I was logged into. Couldn't re-log in at all either over the network (ssh needs libcrypt) or locally (local authentication needs it too). Could not even get to single-user mode because init=/bin/bash didn't even work. I ended up having to boot from a liveCD, re-assemble the raid partition containing my root filesystem, and manually copy libcrypt into /lib/x86_64-linux-gnu/

All because I tried to upgrade Debian from 10 to 12, skipping a version, which, apparently you can't do anymore.

As much as I can't stand Windows and I grin-and-bear macOS, I've never had an experience even close to as bad as that on those systems.

1: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993755

Recently had a Windows update break my work computer. Everything seemed fine until trying to run a Windows Service in Virtual Box with the HOST OS being Windows 10 IoT in RTOS mode. The attempt to start the service create an infinite loop. Uninstalling nor re-installing the Windows updates fixed the issue. Took a month to convince IT to re-install Windows from fresh to fix the issue.

The second most recent was when Windows Store local repository become broken. Any attempt at resolving the issue failed using Windows provided tools. Yet again had to reinstall the OS and all applications.

This is the big reason why I prefer Linux over Windows any day of the week. Windows fix always seems to be the same, re-install OS and applications. Never had a problematic Linux installation that couldn't be resolved with a live CD / USB. Boot into live USB, mount encrypted partitions, chroot into environment, fix problematic package(s) or re-edit configuration files, reboot. No need to reinstall the OS and all applications.

Linux packaging system(s) are heaven compared to the Windows update hell-scale. Ever have to find a way to update the Root Certificates in order to install .NET Framework 4.7.2 offline on Windows 7 Embedded SP1 that is air gaped and has not had an update since the computers were shipped? Not fun.

>The second most recent was when Windows Store local repository become broken. Any attempt at resolving the issue failed using Windows provided tools. Yet again had to reinstall the OS and all applications.

oh man, I had my Windows install get into a weird state where trying to open 'Updates & Security' would just crash the Settings app altogether. Eventually I submitted a feedback hub report for it with a dump and tttrace (though that was a journey in and of itself) and in the meanwhile I actually managed to get updates installed via the PSWindowsUpdate powershell module. Alas, that still didn't fix the crashing Settings app. I had a friend at MS promote my feedback hub item to a bug who relayed the reason being that my copy of MusUpdatehandlers.dll was corrupt somehow. Ok, I guess I can try using sfc and dism to hopefully repair that. A couple rounds of that and all I learnt was I actually had a few more update related DLLs that were also corrupted. The real kicker being the copy in the store was also corrupted??

  2022-05-25 16:40:41, Info                  CSI    00000226 [SR] Could not reproject corrupted file \??\C:\WINDOWS\System32\\updatepolicy.dll; source file in store is also corrupted
Anyways, I was too stubborn to just reinstall and got it fixed by grabbing an install.wim from an ISO that matched my install and telling dism to use that. The really dumb thing was i first tried to do the repair in offline mode pointing it at the install.wim for sources but turns out that's just not supported. Instead you get some opaque failure message and it only mentions the fact that wasn't supported in a single line buried in the huge log file.

It was unsupported to jump releases while upgrading twenty years ago when upgrading woody to sarge as is now. Don't spread rumours. I've been there and the READMEs are still online for reference [1]. And unsupported does not mean impossible. One just can't blame the distro for a failed install.

And if you had bothered to read the Release Notes for bookworm: It's in there [2]. Also you are instructed that only upgrades from bullseye are supported, and to upgrade to bullseye first if you are running an older version.

Nobody else to blame for your fall.

[1] https://www.debian.org/releases/sarge/i386/release-notes/ch-... [2] https://www.debian.org/releases/stable/amd64/release-notes/c...

I've been using Debian since before woody, and am well aware of the usual caution against jumping versions. I have jumped versions in the past with very little pain despite it being officially unsupported. Obviously this time I gambled and lost as it clearly breaks your system more severely than usual.

None of that changes the user-experience comparison with mainstream OS's or parent's point about Linux's "‘stability vulnerabilities’ where the user has to tread carefully". Linux is well known for being a sharp tool without safety guards. That, and the "RTFM" tone of the typical response to trouble, are some reasons why the Year Of The Linux Desktop is perpetually stuck somewhere in the future.

The fact you can fix anything (even a misguided attempt) in 15mins with a live drive is a great strength imho. Back in the 90s you’d often have to reformat partitions to recover any OS.

Windows doesn't let you upgrade from Vista to 10, so I guess your complaint is they didn't stop you from manually editing configuration files manually?

I hear this sentiment frequently, but it doesn't match my experience. I sure can relate to the idea, but that was a decade ago. I install a fair variety of Linux distros on a pretty wide variety of hardware between my work and personal efforts, and it pretty much just seems to work these days. The last grief I recall in this regard was trying to run Ubuntu 64 on a Pi4 with Vulkan, but that was a couple years ago when things were known to be unstable. That or maybe doing something obviously inadvisable like trying to change distro on a live system by changing the apt source files on a Debian install to Ubuntu repositories and running an apt upgrade. And honestly even things like that work a surprising amount of the time. I know it's good to be introspective and truthful about shortcomings, but I really have to hand it to all the open source contributors, package maintainers, and all the rest. The modern Gnu/Linux ecosystem is pretty remarkable, in my opinion.

On the contrary, Linus of LTT managed to uninstall the GUI of his PopOS install within an hour while attempting to install Steam only last year. https://youtu.be/0506yDSgU7M?t=618

By forcibly overriding the safeties that stop you from doing that. I can run `rm -rf --no-preserve-root /` in less than an hour, too, and it's just as meaningful.

> changing resolution.

Er, this decade? How would setting resolution go badly today? (The closest thing I can think of is that once upon a time you could mess up CRTs with bad settings.)

True but the older your hardware is the less you encounter it… so I guess the best use for it is giving life to old hardware.

I would imagine this is only true to a certain point.

Like, I would not be surprised if there were issues trying to run an AGP or PCI video card.

There's probably a sweet spot where some hardware is old enough to have had all the major bugs worked out, but not so old that nobody bothers developing and testing it anymore.

I'm sorry but this is all but true. I've a 13700K and a 4090 and it's more reliable than 2 of my old hardware machines..this is slowly becoming a myth unfortunately as new versions of either DEs or desktop protocol (s) are slowly deprecating tons of stuff..

I’ve had good luck with Xubuntu on a couple older machines so far but I’m not trying to run it on anything modern. My experience trying to do desktop Linux on a recent machine is quite old so maybe things are different.

That's pure fearmongering FUD.

Recommending Debian to the retrocomputing community is possibly the most tone-deaf thing I've seen today.

This. I suppose it can't be helped given the link was posted without context. But yours is the only post here that seems to get it.

For everyone else: This project exists for the joy of the retro-computing community. No one in their right mind - retro-computing enthusiasts included - would ever recommend using any of these versions of Windows for anything other than amusement.

No, DOSBox is not always an alternative.

Retro enthusiasts are quite excited by this project. And for anyone wanting to rebuild an old PC running Win95 for fun, this is going to be a very helpful tool.

Michael MJD (YouTube) covered this yesterday in fact: https://www.youtube.com/watch?v=xbeqLmSVqvs

I'm with you that they could have stopped talking after the word "instead" but the rest is not fearmongering nor FUD: installing operating system patches from a random server on the internet just isn't a great idea

> That's pure fearmongering FUD.

It is. It's a community project that you can trust, or not. Debian also reports to servers of "unknown provenance" and updates itself from there.

Now, Debian has probably a lot more eyes on it than some Windows Update revival project, but some more niche distros have essentially the same problem.

> Recommending Debian to the retrocomputing community is possibly the most tone-deaf thing I've seen today.

archive.debian.org might be right up their alley

>If you're playing with Microsoft Windows for personal use, that's fine,

Saying you're free to have your hobby isn't tone-deaf.

When you bury it in FUD it is

The "FUD" is clearly describing non-retrocomputing use cases, where everything they said is completely true.

If you're use for this project is personal enjoyment, have fun. If it's an important cog in your business, you should probably fix that.

People always say this but

1) doesn't even a domestic router block all inbound connections?

2) is there any evidence of unpatched remote vulnerabilities for windows 98?

Yes, and probably not (and even if there were, I suspect no one has a huge incentive to go looking for them anyway.)

> Running Microsoft Windows.

Is Windows 11 with all of the default security settings really that insecure? Like Windows Defender, Windows Firewall, anything that needs admin needed you to click "yes, elevate to admin" through UAC

I just posted this above, but according to Zerodinium, Microsoft Zero Clicks are the highest payout for a desktop OS. Either they are the most secure, or its a popularity thing.

Also maybe because Windows is used heavily in enterprise where there is big money to be stolen from finance departments.

I'll never accuse old Windows of being bulletproof, but I've gotten some considerable reliability out of old appliances by adding SSDs, a passively cooled chassis, and a weekly reboot scheduled task. Basically, just get rid of the moving parts and plan for state drift.

Old OT is actually pretty easy to take care of aside from sourcing replacements for some secret sauce PCI card that is no longer made. New OT blurs the line with IT in a really difficult way however, you can no longer rely on a dead simple airgap to solve your security concerns because everything and its mother wants to be on the internet.

You can not just rely on air gapped either. You have other avenues for attack as well. I actually virtualize most of my legacy OSes when possible. Just maintaining adequate serial connections when a USB to serial connector will not work with your legacy OS and a VM can't maintain a stable serial connection through the host OS. It's been a nightmare.

I'm glad somebody brought this up. I was waiting for the follow-up article to post on HN about the "Botnet of Windows 98 Machines"

Yes, all 48 of them.

"Be very careful connecting to some random server and running code from people you've never met, with whom you have no contract or legal comeback, just because other people are doing it. Also, download Debian!"

You can audit Debian, or rebuild it yourself. Try that with Windows.

Debian had over 324 million lines of code in 2009. How do you propose to audit that in a lifetime?


So does Guix, and it has reproducibility features and rollbacks.

>* If you're playing with Microsoft Windows for personal use, that's fine, but maybe consider whether you'd prefer to spend your time and energy instead learning and creating atop an open source software platform.

Open source does not address my need or desire for Windows, regardless outdatedness.

Seriously, it's annoying that fReE and oPeN sOuRcE are thrown around like they will solve all the problems in the world. Spoiler alert, they don't. Especially if that problem involves a practical need that most libertarian neckbeards wouldn't care about.

Yes I run Windows, and yes I happily run EOL Windows because they are required to run something reliably. And yes, I happily run unpatched Windows because updates break shit and waste my time compared to the dangers posed by hypothetical threats outside my practical threat model.

Something being free or open source does not in any way fundamentally address my needs and desires. No, Wine is not a panacea (unless we're talking about the drink). No, I'm not going to waste even more time getting Linux to work just so I can get on with life.

What about retro gaming?

WINE will run tons of w9x games with assistants provided by Lutris just fine.

But lots are not fine... Also people pay real money to play old games on old computers and old CRT screens

You can hook a CRT to Linux any time, even easier since X.org with autodetection features.

What I'd love is a project for Windows 11 that gives me back full control of which updates I download and when I reboot. I've been living with vague registry hacks and the "pause for 5 weeks" button but they're getting less effective.

The genuine answer is that you won't get this functionality unless you use windows enterprise. Which of course you can't purchase.. This functionality is locked to just the enterprise and will likely never change..

> can't purchase

There are certain high seas where such things are plentiful.

With all that risk and effort, seriously why not just use linux?


Because most of this list is not Native or Platinum.

Games on Windows just work.

Also, how well does VR work in Linux these days?

> Also, how well does VR work in Linux these days?

this loaded question should be directed towards the developers.

that any Windows game works on Linux at all, given Microsoft's record regarding interoperability, seems like a miracle.

If I had to make an equally loaded question I'd say, what OS are they using to host their game servers?

Game servers are fairly frequently hosted on Windows, simply because the game server often shares a lot of code with the client (including libraries which may not be cross platform), and game developers are often most familiar with Windows.

VR on Linux depends on your headset mostly AFAIK. Oculus (Quest will work with ALVR streaming, but I had mixed results) and WMR require software that isn't on Linux. Valve Index supposedly has good support and VR games are playable with Proton.

i don't know anymore. i'm getting really annoyed by background processes interfering with my counter-strike ping. like microsoft is checking my mail or uploading some telemetry bs or something. i can't wait to get back on linux.

You could check out Portmaster for blocking those. It does take a bit of work to get it working well with games though.

it's interesting that you say that. i recently installed Portmaster for another reason and have been turning it off when playing CS as it was blocking it. I will look into configuring it. Cheers.

This is equally as dangerous.

Eh, not really. You can download a windows pro ISO straight from microsoft [0], install it, and then upgrade it to enterprise using the kms client key [1]. That can then be activated using an open source kms server emulator [2] that has a reasonable amount of code you can audit if you're extremely paranoid.

If you don't want to go through the hassle of installing and then upgrading I'm also pretty sure you can upgrade one of the images in the wim offline using dism.

0: https://www.microsoft.com/en-us/software-download/windows10 (will serve you an iso directly instead of the media creation tool if you give it a linux user agent)

1: https://learn.microsoft.com/en-us/windows-server/get-started...

2: https://github.com/Wind4/vlmcsd/tree/master


I do work on my windows machine, so doing anything illegal just gives me the opportunity to lose 1000x more money than if I just upgraded legally.

>The genuine answer is that you won't get this functionality unless you use windows enterprise. Which of course you can't purchase.. This functionality is locked to just the enterprise and will likely never change..

Of course you can purchase "enterprise" versions of Windows 11[0].

What's more, anyone can purchase most of Microsoft's offerings for ~USD$1000[1].

[0] https://www.microsoft.com/en-us/d/windows-11-pro/dg7gmgf0d8h...

[1] https://visualstudio.microsoft.com/vs/pricing-details/

a license at 1000 is not a license that's purchasable for a normal consumer.. you may also need to sign a EA and this opens a can of worms. The point is that you normally can't obtain a enterprise license.

>a license at 1000 is not a license that's purchasable for a normal consumer.. you may also need to sign a EA and this opens a can of worms. The point is that you normally can't obtain a enterprise license.

That's just not true. cf. the link I posted[0].

Anyone can buy a Visual Studio Developer Subscription (formerly "Technet Library" and "MSDN" packages) (USD$1199.00) without an enterprise agreement with Microsoft. I've used it for many years and will continue to do so.

And you don't need to renew it either (I'll generally do so every 5-7 years to get access to the latest stuff, but it's not necessary or required), especially since the software isn't "in the cloud" so you can have most of Microsoft's products (workstation and server) on local media.

But if you think I (and the Microsoft subscription page) don't know what I'm talking about, feel free to ignore me. It's no skin off my nose. In fact, it's about time for me to go and do (for the fourth or fifth time) what you say I can't do. Thanks for reminding me!

[0] https://visualstudio.microsoft.com/vs/pricing-details/

Edit: Fixed typo. added missing words.

> unless you use windows enterprise. Which of course you can't purchase..

I recently purchased a Windows 10 Enterprise key from a website called "RoyalCDKeys" for under $4. It worked to upgrade my Windows 11 installation.

Basically any reseller will work but only if they use a payment processor other than PayPal. PayPal will only end in misery and your money being lost.

Tiny11 is a thing but I've no experience with it. https://duckduckgo.com/?t=ffab&q=tiny11

"service channels" are not a thing anymore?

This should go without saying but this flagrant disregard for what users want is going to continue and get worse as long as people keep buying and using Windows. I wonder pretty often why people put themselves through this crap to use Windows.

A possibly illustrative example:

A year or three ago, my uncle (mid-50s, telco IT manager, started on a Commodore in the 80s) decided he'd try Mint instead of upgrading from Windows 7. He got it installed and running, and decided he wanted to burn an audio CD.

His install of Mint didn't come with any application to accomplish this. He got something recommended installed easily enough, but it only supported FLAC, not his MP3s. So he removed that and got some different CD burning software that did support his MP3s, but was set to Finnish by default. He got enough Finnish translated to get it changed to English, and then ran into some sort of driver/support issue for his particular CD burner.

At that point, he did the free upgrade to Windows 10 and then burned his CD in less total time than he'd spent not burning a CD via Mint.

It has been a while for me since I last ran Mint, but back in the day it used to come with Brasero which can burn audio CDs. It would have supported mp3's, but he would of had to install the non-free codecs which was an option at install time or would have been installable from the settings.



Ubuntu-Mate user here.

I can't speak for Linux Mint, but last few times I tried to use Brasero it was issue after issue after issue with some kind of lower level driver thing. I installed the missing libraries, still nothing. Tried searching for a fix and found nothing that could resolve my issue with Brasero. I installed K3B and it just worked, so that is what I do now.

Possibly the parent poster's uncle ran into something like this and gave up instead of trying a KDE application?

And this is why the "Year of the Linux Desktop" will never come.

Because of quite possibly the dumbest anecdote I've ever heard? I'm not sure morons anonymous has much influence in the real world.

No kidding. Recycling anecdotes from 20 years ago.

Sticking your fingers in your ears and saying "everyone is making up problems, Linux is perfect!" is the other reason the "year of the Linux desktop" is never going to happen

Because that's what comes on computers, and that's what the software they need runs on. The obvious reasons. If you want to fix that, work in antitrust, work on getting at least governments and public schools to choose FOSS solutions, work on improving FOSS solutions, work on Debian installers...

Windows didn't come preinstalled on my Mac.

Because I'm an adult who knows how to weigh all the pros and cons of a situation and make decisions based on the sum of that reasoning rather than the emotion raised by one pain point. (My own or someone else's.)

Enjoy not having control over when or how your OS gets updated then.

I'm solving this for myself with Windows 10 LTSC, which I keep activated with an activation emulator I host. For a professional, it was super easy to setup, virtually zero maintenance, and I get a pass on at least a good chunk of the bullshit that goes on in the MS-verse. Functionality doesn't seem to be lost, but I just use it to play my multiplayer games because of their Windows-only rootkit, I mean, anti-cheat.

You are the beta tester. While you're using "your" windows, you're performing a task as an unofficial employee. If something is free for you, you are the product that is sold.

Windows is not free.

Windows pro managed through intune should give you that control, though it is a bit of an awkward path for a single user.

Just buy a pro/enterprise version, they support the GPOs to block updates

Windows Update Blocker works as a nuclear option to disable all updates.

Use registry editor to export And then delete wupdsvc and waasMedicSvc services. (HKLM/system/currentControlSet/Services) Reboot. Enjoy. Whenever you want updates, double click exported “reg” file and reboot. Allow updates to install. Delete services again.

Lookup Windows 10 LTSC

Not sure if this is because I run the Pro version but I've never ever ever once had Windows 10 or 11 reboot to install updates on it's own.

PSA: Security updates for 2000 and XP are still available from Microsoft at https://www.catalog.update.microsoft.com/

Windows Update did a better job over the years selling me on the Mac platform than Apple ever could

Funny enough, windows updates are infinitely better than macOS updates, which takes 30-60 mins each time.

This was one of many gripes when I went from Android to iPhone. Holy crap, every day there was some necessary update and I had to sign into my apple ID + be plugged in at 2am or something.

Every time I unlocked that phone it would bother me.

That, a slower response time(might have been due to animations), not having widgets, and some buggy official apps like the podcast app, and I bailed from iPhone pretty quick.

I admittedly was so excited to unbox and give Apple all my personal information. Weird.

Yea I own a iPhone for giggles and use a Pixel daily. HOLY CRAP, the update experience is so ridiculously slow on iPhones, I really don't Apple could not even try it fix it. How are iPhones not capable of having A/B partitions for the system to handle updates behind the scenes faster?

On androids you just don’t have this issue because manufacturers will stop giving you updates so quick that most of your experience with the device will be without them.

They're getting faster in Ventura. Moving to the sealed system volume in macOS 11 made them huge and slow to apply, but they're getting better. On my M1 Ultra machine even large updates don't take more than 5 or 10 minutes in the restart stage, and that can include firmware updates for the Mac and monitor (Apple Studio Display). And now with the rapid security patches there are some updates you don't even have to restart to apply (mostly).

But they don't pop up a million times and then restart your system for you while you have a long compute job running overnight...

I still don't know why both are so slow. Upgrading my mostly vanilla Devuan boxes costs me a few seconds to minutes and restarts are only to switch kernels.

The sad thing is that IMO, Windows users brought the shitty Windows Update implementation on themselves.

It was common in the Windows XP days for many users to never install updates and it really contributed to Windows's reputation for being incredibly insecure. Forcing updates became the only option to ensure Windows users remain secure.

Last time I tried to tinker with Windows XP few years ago: you couldn't just update it after installation, but if you let it work for a few days, eventually it'd download and install updates automatically. And after those updates are installed, you can actually use Windows Update UI to install optional updates and other things.

It definitely was after 2011.

DOS is easy to emulate - and dosbox does a great job of it, even in a web browser.

Windows 3.1, 95, 98, Me are less easy to emulate.

Note that that seems to have impacted the preservation of old games and programs. Plenty of dos games are all over the web and still quite popular, yet most stuff from the Win 9x era has almost entirely vanished due to the difficulty of running it on modern hardware.

Archivists take note - if you want something to live for a long time, it needs to be easy to emulate. And in turn, that means it needs to be both very common, and have simple API's so someone in the future can be bothered to make and maintain an emulator.

> most stuff from the Win 9x era has almost entirely vanished due to the difficulty of running it on modern hardware.

The tricky part is that this applies even if you're using a VM. I learned the hard way that Windows 98 isn't compatible with Ryzen CPUs, even through VirtualBox. I had to try again on another PC with an older Intel CPU.

A patch is available [0] to allow Windows 98 to be virtualized on more modern CPUs including Ryzen CPUs. It patches the "TLB Invalidation Bug". [1]

[0] https://github.com/JHRobotics/patcher9x

[1] https://blog.stuffedcow.net/2015/08/win9x-tlb-invalidation-b...

For early-ish windows 98 era machines, 86Box is a very good option.

DOS may be easy to emulate and re-implement because it's a single task operating system that does not do much. Most of hardware is accessed directly, and needs to be emulated instead. We enjoy great compatibility because of the enormous leap in performance since then (the slower the system the easier it is to simulate correctly on a modern one), and the combined knowledge of all the ins and outs collected during the PC boom by software authors and hardware makers implementing and re-implementing compatible devices.

I've had great success running Win 95 games on modern hardware. I just had to do it in Wine, amusingly enough.

Frustratingly, wine for windows isn't a thing...

Except it is (at least for the use-case of 16-bit apps that are unsupported by a 64-bit Windows) https://github.com/otya128/winevdm although no updates since 2021, but maybe it was "good enough" for whatever they were targeting.

I wanted to play certain games from that era (Spiderweb's Exile series), and the best solution I found was to just play the MacOS versions with SheepShaver.

You can technically get Windows 9x software running in a VM, but not without laggy video/audio in my experience.

> Archivists take note - if you want something to live for a long time, it needs to be easy to emulate

how do archivists have a say in this?

Some archivists make decisions about what to archive. Something that isn't going to be runnable in the future would be a poor choice if you only have limited resources.

Also, some archivists have the choice to convert media. For example, rather than storing a Wordperfect document, perhaps it is best to convert to PDF. Rather than storing the ROM of an 80's arcade machine, or the whole machine, perhaps it is best to store an MPEG video of a playthrough. Rather than storing the data on a floppy disk in a filing cabinet, perhaps it is best to store the data on a server which will be kept up to date? Well resourced archives might be able to implement emulators - but then the question remains how should that be done - Is it okay to have a PDP11 emulator that runs on dos, emulated by dosbox in windows XP, emulated again by virtualbox on Windows 11?

A big part of being an archivist is making decisions of what to keep, what not to keep, what form to keep it in, and when to convert it.

There is no consensus - some archives knowingly keep data and software that they have no way to open/run, in the hope someone might bother in the future. Others keep dependency tables to ensure that they always have some combination of hardware and software to run/open any stored material.

Personally I'm of the opinion that we should focus on storing as many bytes of data of human endeavors as possible, and not worry about emulation/search/cataloging.

Future people will have better solutions to all these problems, and every bit of effort we put into organising our archives today is effort taken away from collecting more bytes.

This means that you care about byte counter instead of actual content.

For some hardware, the number of people who can make it work has already diminished a lot. You can gather some of the knowledge today, “future people” won't be able to. What's the use of collections of data that can't be used?

True - and those are some of the reasons that my opinion is not common in the archiving world.

I looked up the last update for Windows XP - KB4500331[1] from May 2019. Eighteen years after the OS was released. Gotta give credit for that.

[1]: https://www.catalog.update.microsoft.com/Search.aspx?q=SP3+X...

Huh, I never realized that 95/98/ME ever had online updates in the first place.

It all started in Windows 98 with the launch of Windows Update; they then released the Critical Update Notification Tool (later renamed to Utility, for obvious reasons) which would query the website and just tell you when a critical update was available to go check the site.

Otherwise, in the 95 era, I believe you'd likely be finding out through a software vendor or otherwise that a certain fixpack from Microsoft might fix an issue and you should go grab an update then.

> they then released the Critical Update Notification Tool (later renamed to Utility, for obvious reasons)

Oofda. That can't have been an accident.

I thought you were joking, but no, the CUNT is real


I guess now we know why Windows patches will see you next Tuesday.


Um… what? You would trigger online updates in Windows 95 OSR 2 by using IE and navigating to the Windows Update website. This would then would trigger the updater.

That was all after the fact. For its initial release and even much of OSR 2 the only updates you got came with a new computer via the OEM updates of which OSR 2 was the big one. If you were lucky you might see a Service Pack on CD though that was more of an NT/2000 thing.

Yeah -- OSR 1 (95 A), 2/2.1 (95 B), and 2.5 (95 C) were just that - OEM Service Releases.

Anything else would have been a direct fix package - such as the DCOM95 OLE Update, DUN 1.4, or Winsock 2 -- things that you only installed if you needed something that used those functions, and often would become bundled with the software anyways because users might not have been given those updates out of the box.

There was at least one XP-era update CD that I do recall - the Windows Security Update 2004 contained patches for 98 through XP and was available by mail from Microsoft.


This is supported by the wikipedia page for Windows Update:

"Critical Update Notification Utility (initially Critical Update Notification Tool) is a background process that checks the Windows Update web site on a regular schedule for new updates that have been marked as "Critical". It was released shortly after Windows 98."

Unfortunately, the citation for that is no longer active on MS's site, and the archive.org version no longer works either.

Me neither.


> Windows Update was introduced as a web app with the launch of Windows 98 and offered additional desktop themes, games, device driver updates, and optional components such as NetMeeting. Windows 95 and Windows NT 4.0 were retroactively given the ability to access the Windows Update website and download updates designed for those operating systems, starting with the release of Internet Explorer 4.

— Software could not expect internet connection (or any network at all) to be available, and would be considered really arrogant if it tried to dial or spend user's traffic by default.

— Those who knew how to enable those features probably checked update sites and news sites manually often enough.

— Almost all software had to bundle required components and updates anyway. Games came with DirectX version 5/6/7/8/9 installers, IE version 4/5/6 installers provided important system components, acting as semi-service-packs for 9x systems… and, of course, Visual Studio library dependencies.

Seems like a centralized repository for a collection of updates issued by MS to windows computers. Does this bring additional security updates not issued by MS?

No, it's just old preexisting patches. In their FAQ and even on the front page they say continuing to run these operating systems is a terrible idea as they are highly vulnerable even after patching.

What’s the advantage over Legacy Update which seems to work pretty well.

Legacy Update is a better option for Windows 2000 and later as it uses a proxied Windows Update 6 implementation. Windows Update Restored uses Windows Update 3.1 and is better for Windows 95/98/Me and Windows NT4.

Legacy Update doesn't support Windows 95, Windows NT 4.0 SP3+ Windows 98 First and Second Edition, Windows Millenium Edition.

Windows Update Restored (purportedly) does.

Thanks, this answers my question.

This is exactly what I was looking for. Thanks.

(Sent from a ThinkPad x41 running Windows XP)

So I may have missed it, are they hosting old updates to make them available still or are they actually patching old SW with new builds. For example say the last update for XP was SP3.5, they got the tooling to build and release 3.6 which was never released by Microsoft but is from this organization? Is it one or both?

Is ReactOS stable enough to replace an old Windows 95 installation?

No matter if stable enough or not, ReactOS is aimed to replicate a NT based system, as such it can be very different from DOS/Win9x.

Quite a lot of (DOS based but not only) tools and programs (particularly any low-level one and - generally speaking - games) that run just fine in Windows 95 won't work on NT 4.00/2000 and later, and they as well won't in ReactOS.


I saw an ATM reboot into XP kiosk mode the other week.

Struck me as a bit unsafe?

BTW this also exists or did exist for "Fix Windows Update on Windows XP, Vista, Server 2008, 2003, and 2000"


It’s not the greatest to be still using XP. Although hopefully an ATM would be on a real private network, or at least a VPN provided by some more up to date external box (though the latter could have its own bugs I guess). If you pair that with the fact you don’t have externally accessible general IO[1] there probably isn’t much opportunity to gain access.

[1] If you can get into the innards you can probably just, you know, grab the cash (beware of dye bombs though).

> Struck me as a bit unsafe?

Usually ATMs run in their completely own network with heavy access controls limiting access even if the physical location is compromised.

It was pretty crazy how long IBM's OS/2 survived as an OS on tons of ATMs throughout the world, there will probably still be an ATM somewhere running XP in the 2050s.

>I saw an ATM reboot into XP kiosk mode the other week.

JFYI, there is a dedicated thread on MSFN.ORG for these sightings:


Atm's and public signage (airports, metro and similar) are still common enough.

Safer than card skimmers though.

What is the meaningful purpose of "Windows Update" for versions no longer recieving active patches. (I imagine there's some bigcorp or biggov that will pay whatever price is necessary to get a patch for XP, but anything earlier?)

Couldn't they collect and systematically 'slipstream' every patch and fix that would exist on Windows Update into a "Final Edition" ISO?

Or is the scope broader than a naive reading of the headline, and non-OS packages (drivers, third party software) were also relayed through WU?

I have to say this is awesome

> This website requires a minimum of Internet Explorer 5.0 or above, but we recommend Internet Explorer 5.5. To download Internet Explorer 5.5, Click Here

My most recent use-case for XP (in VMs) is to deploy IE as a remote app, to access old DVRs that require ActiveX for web view.

Does anyone have any experience with 0patch? I use it to keep a couple of old Win7 systems patched but it makes me nervous…

How about adding some instructions on how to use it? Just saying...

> To find out more about the Windows Update Website and what it does, Click Here

> http://windowsupdaterestored.com/en/aboutwindowsupdaterestor...

The submission is the literal website used for the updates. You use it by browsing the website like any other website.

You figured out how to use HN without much hand-holding, I'm sure you can figure out how to use this website as well :)

Edit: There is even a video explaining how to use the website, not sure what more you could ask for? https://www.youtube.com/watch?v=pbWa_tlC-3I

Awesome then! I don't know if I'm the exception, but my Win9x years were mostly offline or with a 56k modem, so online updates were off the map.

I was expecting one would need to tweak the registry or plug some custom DNS entries to get the updates running.

why no https on this site?

Older web browsers like those on Windows XP don't support newer versions of SSL.

There are newer web browsers that will run on Windows XP, see New Moon http://matejhorvat.si/en/unfiled/pmxp/index.htm

Even the final official build of Firefox that supported Windows XP will break on websites like Github, where a Releases page will never finish loading, and never let you download any files. But the New Moon build on that website (28.10) will work.

(Don't forget to install uBlock Origin and a current fork of uMatrix)

See http://rtfreesoft.blogspot.com/ and https://github.com/Feodor2/Mypal68

Discussions of those builds can be found in relevant threads on relevant forums.

Does modern HTTPS even work on Windows 95?

Under Retrozilla, TLS 1.3

> This website requires a minimum of Internet Explorer 5.0 or above, but we recommend Internet Explorer 5.5.

that's the bit that left me gobsmacked

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact