HackAndPwn2024-03-25T16:24:06+00:00https://hackandpwn.com/Windows 8.1 and Windows Server 2012 R2 ESU Analysis2024-03-25T00:00:00+00:00https://hackandpwn.com/windows-8.1-and-2012-r2-esu-analysis<p>The original Windows 7 ESU Analysis can be found <a href="https://hackandpwn.com/windows-7-esu-analysis">here</a>. With the ending of support for Windows 8.1 and Server 2012 R2 in 2023, additional research was conducted to see if similar techniques would work for these operating systems as well. It was determined that both Windows 8.1 and Windows Server 2012 R2 can be fully patched past the supported period.</p>
<p>There are 2 techniques in getting these Operating Systems up to date with the latest patches. The first technique is to copy the latest manifest file into the C:\Windows\WinSxS\Manifests folder, apply the Components registry key, and apply the SideBySide registry key. Then, installing the latest Cumulative Update will be successful.</p>
<p>The easier method, however, is to install the latest Cumulative Update, let it “fail”, apply the SideBySide registry key, and retry. Upon completion, the update will succeed. Both techniques have been validated on these Operating Systems.</p>
<blockquote>
<p>Important: You must obtain an ESU license to apply ESU updates. Details on obtaining an ESU license can be found <a href="https://support.microsoft.com/en-us/help/4497181/lifecycle-faq-extended-security-updates">here</a>. This research was completed for security vulnerability research purposes only following the <a href="https://www.microsoft.com/en-us/msrc/bounty-safe-harbor">Microsoft Legal Safe Harbor Terms</a>. Do not try to reproduce without having the required licenses.</p>
</blockquote>
<blockquote>
<p>There is no ESU license option for Windows 8.1, so for security purposes if Windows 8.1 must still be used, this is an unsupported way on how to keep it patched against the latest vulnerabilities. Although the last official patch for Windows 8.1 was January 2023, here is a version of Windows 8.1 fully patched through January 2024.</p>
</blockquote>
<blockquote>
<center><img src="/assets/2024-01-21-windows-8.1-and-2012-r2-esu-analysis/01.png" /></center>
</blockquote>
<h3 id="install-the-latest-servicing-stack-update-ssu---kb5035968-march-2024">Install The Latest Servicing Stack Update (SSU) - KB5035968 (March 2024)</h3>
<p>Install <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/01_Windows8.1-KB5035968-x64.msu">Windows8.1-KB5035968-x64.msu</a> and reboot the computer.</p>
<h3 id="install-the-latest-monthly-cumulative-update-via-failed-reboot-technique---kb5035885-march-2024">Install The Latest Monthly Cumulative Update Via Failed Reboot Technique - KB5035885 (March 2024)</h3>
<ol>
<li>Install KB5035885 ( <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.001">Part 1</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.002">Part 2</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.003">Part 3</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.004">Part 4</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.005">Part 5</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.006">Part 6</a> ) and reboot the computer. This will result in a failed update and rollback.</li>
<li>Apply the new Windows 8.1 or Server 2012 R2 SideBySide registry key linked below.</li>
<li>Install KB5035885 again and reboot the computer. This will result in a successful update.</li>
</ol>
<h3 id="install-the-latest-monthly-cumulative-update-via-manfiestscomponent-technique---kb5035885-march-2024">Install The Latest Monthly Cumulative Update Via Manfiests/Component Technique - KB5035885 (March 2024)</h3>
<p>If using the Manifest/Components registry key technique:</p>
<ol>
<li>Copy the manifest file linked below into the C:\Windows\WinSxS\Manifests folder. This can be done by executing the following commands:
<blockquote>
<p>takeown /f C:\Windows\WinSxS\Manifests /a</p>
<p>icacls C:\Windows\WinSxS\Manifests /grant Everyone:(F)</p>
<p>copy amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.3.9600.21871_none_599b781bf64f8523.manifest C:\Windows\WinSxS\Manifests</p>
<p>icacls C:\Windows\WinSxS\Manifests /remove Everyone</p>
<p>icacls C:\Windows\WinSxS\Manifests /setowner “NT SERVICE\TrustedInstaller”</p>
</blockquote>
</li>
<li>Apply the new Windows 8.1 or Server 2012 R2 Components registry key linked below.</li>
<li>Apply the new Windows 8.1 or Server 2012 R2 SideBySide registry key linked below.</li>
<li>Install KB5035885 ( <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.001">Part 1</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.002">Part 2</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.003">Part 3</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.004">Part 4</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.005">Part 5</a> / <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/02_Windows8.1-KB5035885-x64.zip.006">Part 6</a> ).</li>
</ol>
<h3 id="install-the-latest-net-35-update---kb5033900-january-2024">Install The Latest .NET 3.5 Update - KB5033900 (January 2024)</h3>
<p>Install <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/03_Windows8.1-KB5033900-x64.msu">Windows8.1-KB5033900-x64.msu</a>.</p>
<h3 id="install-the-latest-net-48-update---kb5034617-february-2024">Install The Latest .NET 4.8 Update - KB5034617 (February 2024)</h3>
<p>Install <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/raw/main/Patches/04_Windows8.1-KB5034617-x64-ndp48.msu">Windows8.1-KB5034617-x64-ndp48.msu</a>.</p>
<h3 id="install-the-latest-root-certificate-updates">Install The Latest Root Certificate Updates</h3>
<p>Finally, the latest Microsoft Root Certificates need to be installed into the Local Computer Trusted Root Authority Certificate Store. A batch file to automatically install all certificates and revocation lists can be found here: <a href="https://github.com/HackAndPwn/Windows-7-Patching/blob/master/08_Certs/Import.cmd">Import.cmd</a></p>
<table style="text-align:center"><colgroup><col width="8%" /><col width="16%" /><col width="50%" /></colgroup>
<thead><tr><th style="text-align:center">Date</th><th style="text-align:center">Type</th><th>Download</th></tr></thead><tbody>
<tr><td>2018-08-02</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/MicRooCerAut2011_2011_03_22.crt">MicRooCerAut2011_2011_03_22.crt</a></td></tr>
<tr><td>2018-08-02</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt">Microsoft ECC Product Root Certificate Authority 2018.crt</a></td></tr>
<tr><td>2018-08-02</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20TS%20Root%20Certificate%20Authority%202018.crt">Microsoft ECC TS Root Certificate Authority 2018.crt</a></td></tr>
<tr><td>2018-08-02</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20Time%20Stamp%20Root%20Certificate%20Authority%202014.crt">Microsoft Time Stamp Root Certificate Authority 2014.crt</a></td></tr>
<tr><td>2020-01-22</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt">Microsoft ECC Root Certificate Authority 2017.crt</a></td></tr>
<tr><td>2020-01-22</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crt">Microsoft EV ECC Root Certificate Authority 2017.crt</a></td></tr>
<tr><td>2020-01-22</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt">Microsoft RSA Root Certificate Authority 2017.crt</a></td></tr>
<tr><td>2020-01-22</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20EV%20RSA%20Root%20Certificate%20Authority%202017.crt">Microsoft EV RSA Root Certificate Authority 2017.crt</a></td></tr>
<tr><td>2024-01-03</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crl">Microsoft RSA Root Certificate Authority 2017.crl</a></td></tr>
<tr><td>2024-01-06</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crl">Microsoft EV ECC Root Certificate Authority 2017.crl</a></td></tr>
<tr><td>2024-01-06</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20EV%20RSA%20Root%20Certificate%20Authority%202017.crl">Microsoft EV RSA Root Certificate Authority 2017.crl</a></td></tr>
<tr><td>2024-01-24</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20Time%20Stamp%20Root%20Certificate%20Authority%202014.crl">Microsoft Time Stamp Root Certificate Authority 2014.crl</a></td></tr>
<tr><td>2024-02-14</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crl">Microsoft ECC Root Certificate Authority 2017.crl</a></td></tr>
<tr><td>2024-03-04</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/MicRooCerAut_2010-06-23.crl">MicRooCerAut_2010-06-23.crl</a></td></tr>
<tr><td>2024-03-12</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl">Microsoft ECC Product Root Certificate Authority 2018.crl</a></td></tr>
<tr><td>2024-03-12</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20TS%20Root%20Certificate%20Authority%202018.crl">Microsoft ECC TS Root Certificate Authority 2018.crl</a></td></tr>
</tbody></table>
<h3 id="references">References</h3>
<p>These files can all be found on GitHub <a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis">here</a>. See below for specific file links.</p>
<blockquote>
<p><a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/blob/main/2024_03/amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.3.9600.21871_none_599b781bf64f8523.manifest">Windows 8.1 x64 Manifest File KB5035885</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/blob/main/2024_03/8.1_x64_ComponentsRegistryKey.reg">Windows 8.1 x64 Components Registry Key KB5035885</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/blob/main/2024_03/8.1_x64_SideBySideRegistryKey_x64.reg">Windows 8.1 SideBySide Registry Key KB5035885</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/blob/main/2024_03/amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.3.9600.21871_none_599b781bf64f8523.manifest">Windows Server 2012 R2 x64 Manifest File KB5035885</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/blob/main/2024_03/Server_2012_R2_x64_ComponentsRegistryKey.reg">Windows Server 2012 R2 Components Registry Key KB5035885</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-8.1-And-Server-2012-R2-ESU-Analysis/blob/main/2024_03/Server_2012_R2_x64_SideBySideRegistryKey_x64.reg">Windows Server 2012 R2 SideBySide Registry Key KB5035885</a></p>
</blockquote>
<h3 id="update-2024-03-25">Update 2024-03-25</h3>
<ul>
<li>Replaced February 2024 Servicing Stack Update (KB5034866) with February 2024 Servicing Stack Update (KB5035968).</li>
<li>Replaced February 2024 Monthly Update (KB5034819) with March 2024 Monthly Update (KB5035885).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Replaced February 2024 Manifest, Components Registry Key, and SideBySide Registry Key (6.3.9600.21813) with March 2024 (6.3.9600.21871).</li>
</ul>
<p>For previous updates to this post, see <a href="https://hackandpwn.com/windows-8.1-and-2012-r2-esu-analysis-changelog/">Windows 8.1 and Windows Server 2012 R2 ESU Analysis Changelog</a>.</p>
Windows 7 ESU Analysis Updates2024-03-25T00:00:00+00:00https://hackandpwn.com/windows-7-esu-analysis-updates<p>The original Windows 7 ESU Analysis can be found <a href="https://hackandpwn.com/windows-7-esu-analysis">here</a>. With the September 2020 Cumulative Update, the technique as described no longer works to install this update. However, only slight modifications need to be made in order for this new update to also install.</p>
<p>Please reference the original post for the majority of the instructions. This post will only highlight updates that need to be made.</p>
<blockquote>
<p>Important: You must obtain an ESU license to apply ESU updates. Details on obtaining an ESU license can be found <a href="https://support.microsoft.com/en-us/help/4497181/lifecycle-faq-extended-security-updates">here</a>. This research was completed for security vulnerability research purposes only following the <a href="https://www.microsoft.com/en-us/msrc/bounty-safe-harbor">Microsoft Legal Safe Harbor Terms</a>. Do not try to reproduce without having the required licenses.</p>
</blockquote>
<h3 id="installing-kb4528069">Installing KB4528069</h3>
<p>Install KB4528069 as described in <a href="https://hackandpwn.com/windows-7-esu-analysis">Windows 7 ESU Analysis</a>.</p>
<h3 id="installing-kb5035888-march-2024-cumulative-update">Installing KB5035888 (March 2024 Cumulative Update)</h3>
<p>The March 2024 Cumulative Update includes new ESU files that bump versions past those used in KB4528069. However, the same technique that previously applied still works.</p>
<ol>
<li>Install the latest Servicing Stack Update <a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/01_Windows6.1-KB5034865-x64.msu">Windows6.1-KB5034865-x64.msu</a> <a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/01_Windows6.1-KB5034865-x86.msu">Windows6.1-KB5034865-x86.msu</a>. Rebooting the machine may be required.</li>
<li>If using the Manifest/Components registry key technique on a 64-bit system, execute the following commands:
<blockquote>
<p>takeown /f C:\Windows\WinSxS\Manifests /a</p>
<p>icacls C:\Windows\WinSxS\Manifests /grant Everyone:(F)</p>
<p>copy amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.1.7602.27017_none_c8e442063621a623.manifest C:\Windows\WinSxS\Manifests</p>
<p>icacls C:\Windows\WinSxS\Manifests /remove Everyone</p>
<p>icacls C:\Windows\WinSxS\Manifests /setowner “NT SERVICE\TrustedInstaller”</p>
<p>reg import ComponentsRegistryKey_x64.reg</p>
<p>reg import SideBySideRegistryKey_x64.reg</p>
</blockquote>
</li>
<li>If using the Manifest/Components registry key technique on a 32-bit system, execute the following commands:
<blockquote>
<p>takeown /f C:\Windows\WinSxS\Manifests /a</p>
<p>icacls C:\Windows\WinSxS\Manifests /grant Everyone:(F)</p>
<p>copy x86_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.1.7602.27017_none_6cc5a6827dc434ed.manifest C:\Windows\WinSxS\Manifests</p>
<p>icacls C:\Windows\WinSxS\Manifests /remove Everyone</p>
<p>icacls C:\Windows\WinSxS\Manifests /setowner “NT SERVICE\TrustedInstaller”</p>
<p>reg import ComponentsRegistryKey_x86.reg</p>
<p>reg import SideBySideRegistryKey_x86.reg</p>
</blockquote>
</li>
<li>If using the failed reboot technique, try to install KB5035888 and let it fail. Apply the new 32-bit or 64-bit SideBySide registry key linked below and retry the update. This time it will succeed.</li>
</ol>
<h3 id="references">References</h3>
<p>These files can all be found on GitHub <a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis">here</a>. See below for specific file links.</p>
<blockquote>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/blob/master/2024_03/amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.1.7602.27017_none_c8e442063621a623.manifest">Updated Manifest File x64 KB5035888</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/blob/master/2024_03/x86_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.1.7602.27017_none_6cc5a6827dc434ed.manifest">Updated Manifest File x86 KB5035888</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/blob/master/2024_03/ComponentsRegistryKey_x64.reg">Updated Components Registry Key x64 KB5035888</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/blob/master/2024_03/ComponentsRegistryKey_x86.reg">Updated Components Registry Key x86 KB5035888</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/blob/master/2024_03/SideBySideRegistryKey_x64.reg">Updated SideBySide Registry Key x64 KB5035888</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/blob/master/2024_03/SideBySideRegistryKey_x86.reg">Updated SideBySide Registry Key x86 KB5035888</a></p>
</blockquote>
<h3 id="update-2024-03-25">Update 2024-03-25</h3>
<ul>
<li>Replaced February 2024 Monthly Update (KB5034831) with March 2024 Monthly Update (KB5035888).</li>
<li>Replaced February 2024 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26961) with March 2024 (6.1.7602.27017).</li>
</ul>
<p>For previous updates to this post, see <a href="https://hackandpwn.com/windows-7-esu-analysis-updates-changelog/">Windows 7 ESU Analysis Updates Changelog</a>.</p>
Windows 7 ESU Patching2024-03-25T00:00:00+00:00https://hackandpwn.com/windows-7-esu-patching<p>With the May 2020 Windows 7 updates, I went on a mission to determine the minimum set of updates needed to enable all features within Windows 7, including optional hotfixes, and to have the most up-to-date installation possible. After extensive testing, I concluded that 42 updates not offered through Windows Update would need to be installed to reach this objective. The following sections describe the updates required and provide links to each.</p>
<blockquote>
<p>The base test image used for this research was 64-Bit Windows 7 Ultimate SP1. Microsoft Update was enabled, and all updates offered through Windows Update were installed prior to starting this investigation.</p>
</blockquote>
<blockquote>
<p>I highly recommend both the <a href="http://windows-update-checker.com/">KUC Update Checker</a> and <a href="https://www.wsusoffline.net/">WSUS Offline Update</a> utilities. I used both during this investigation in order to get to this minimum required set.</p>
</blockquote>
<h3 id="enabling-esu-updates">Enabling ESU Updates</h3>
<p>This first section holds a single update required for ESU updates further down the list. A detailed analysis on this update can be found on my <a href="https://hackandpwn.com/windows-7-esu-analysis/">Windows 7 ESU Analysis</a> post.</p>
<table style="text-align:center"><colgroup><col width="8%" /><col width="17%" /><col width="53%" /><col width="22%" /></colgroup>
<thead><tr><th style="text-align:center">KB Number</th><th style="text-align:center">Name</th><th style="text-align:center">Description</th><th style="text-align:center">Download</th></tr></thead><tbody>
<tr><td>KB4528069</td><td>Windows 7 SP1 ESU Verification</td><td style="text-align:left">This optional update will help verify that eligible Windows 7 SP1 devices can continue to get Extended Security Updates (ESUs) after the end of support date of January 14, 2020.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/01_Enable_ESU/01_Windows6.1-KB4528069-x64.msu">Windows6.1-KB4528069-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/01_Enable_ESU/01_Windows6.1-KB4528069-x86.msu">Windows6.1-KB4528069-x86.msu</a></td></tr>
</tbody></table>
<h3 id="installing-optional-features">Installing Optional Features</h3>
<p>The next section of updates enables all optional features not available through Windows Update. The notable exception from this list is the AD LDS feature, which is discussed in more detail in the next section.</p>
<blockquote>
<p>After installing the Work Folders for Windows feature (KB2891638), an update may appear as available in Windows Update (KB3081954). However, this update is not required and is replaced with Service Pack 2 (KB3125574). Once KB3125574 is installed, KB3081954 will no longer appear in Windows Update.</p>
</blockquote>
<table style="text-align:center"><colgroup><col width="8%" /><col width="17%" /><col width="53%" /><col width="22%" /></colgroup>
<thead><tr><th style="text-align:center">KB Number</th><th style="text-align:center">Name</th><th style="text-align:center">Description</th><th style="text-align:center">Download</th></tr></thead><tbody>
<tr><td>KB917607</td><td style="text-align:left">Windows Help 32-bit Compatibility Update</td><td style="text-align:left">WinHlp32.exe is required to display 32-bit Help files that have the ".hlp" file name extension. To view .hlp files on Windows 7, you need to install this application.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/01_Windows6.1-KB917607-x64.msu">Windows6.1-KB917607-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/01_Windows6.1-KB917607-x86.msu">Windows6.1-KB917607-x86.msu</a></td></tr>
<tr><td>KB943790</td><td style="text-align:left">File Management API Extensions For BitLocker</td><td style="text-align:left">Install this update to extend the File Management APIs to not only enable the discovery and restoration of deleted files from volumes that are not encrypted but also enable the recovery of files from BitLocker encrypted volumes.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/02_Windows6.1-KB943790-x64.msu">Windows6.1-KB943790-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/02_Windows6.1-KB943790-x86.msu">Windows6.1-KB943790-x86.msu</a></td></tr>
<tr><td>KB958559</td><td style="text-align:left">Windows Virtual PC</td><td style="text-align:left">Windows Virtual PC can be used to run more than one operating system at the same time on one computer, and to run many productivity applications on a virtual Windows environment, with a single click, directly from a computer running Windows 7.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/03_Windows6.1-KB958559-x64.msu">Windows6.1-KB958559-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/03_Windows6.1-KB958559-x86.msu">Windows6.1-KB958559-x86.msu</a></td></tr>
<tr><td>1.3.7600.16423</td><td style="text-align:left">Windows XP Mode</td><td style="text-align:left">Windows XP Mode provides a 32-bit virtual Windows XP Professional Service Pack 3 (SP3) environment, which makes it easy to run many of your productivity programs that run on Windows XP on Windows 7.</td><td>Windows-XP-Mode-en-us.exe<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/04_WindowsXPMode_en-us.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/04_WindowsXPMode_en-us.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/04_WindowsXPMode_en-us.zip.003">Part 3</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/04_WindowsXPMode_en-us.zip.004">Part 4</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/04_WindowsXPMode_en-us.zip.005">Part 5</a></td></tr>
<tr><td>KB958830</td><td style="text-align:left">Remote Server Administration Tools</td><td style="text-align:left">Remote Server Administration Tools for Windows 7 SP1 enables IT administrators to manage roles and features that are installed on computers that are running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003, from a remote computer that is running Windows 7 SP1.</td><td>Windows6.1-KB958830-x64.msu<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/05_Windows6.1-KB958830-x64.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/05_Windows6.1-KB958830-x64.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/05_Windows6.1-KB958830-x64.zip.003">Part 3</a><br /> <br />Windows6.1-KB958830-x86.msu<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/05_Windows6.1-KB958830-x86.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/05_Windows6.1-KB958830-x86.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/05_Windows6.1-KB958830-x86.zip.003">Part 3</a></td></tr>
<tr><td>KB969168</td><td style="text-align:left">Microsoft Agent</td><td style="text-align:left">Microsoft Agent is a set of software services that supports interactive characters within the Microsoft Windows display. Examples of the Microsoft Agent characters are the Office Assistants.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/06_Windows6.1-KB969168-x64.msu">Windows6.1-KB969168-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/06_Windows6.1-KB969168-x86.msu">Windows6.1-KB969168-x86.msu</a></td></tr>
<tr><td>KB970985</td><td style="text-align:left">Remote Administration Tools For Windows Media Services</td><td style="text-align:left">The Remote Administration Tools for Windows Media Services update for Windows 7 SP1 enables the Windows Media Services snap-in for the Microsoft Management Console.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/07_Windows6.1-KB970985-x64.msu">Windows6.1-KB970985-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/07_Windows6.1-KB970985-x86.msu">Windows6.1-KB970985-x86.msu</a></td></tr>
<tr><td>KB974150</td><td style="text-align:left">Windows NTBackup Utility</td><td style="text-align:left">NTBackup is the legacy Windows backup application included in previous versions of Windows. Files can be backed up to tape, ZIP drives, floppy disks, and hard drives using a proprietary backup format (BKF). It also features integration with Task Scheduler and has several command line switches for scheduled automated backups.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/08_Windows6.1-KB974150-x64.msu">Windows6.1-KB974150-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/08_Windows6.1-KB974150-x86.msu">Windows6.1-KB974150-x86.msu</a></td></tr>
<tr><td>KB974405</td><td style="text-align:left">Windows Identity Foundation</td><td style="text-align:left">The Windows Identity Foundation helps simplify user access for developers by externalizing user access from applications via claims and reducing development effort with pre-built security logic and integrated .NET tools.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/09_Windows6.1-KB974405-x64.msu">Windows6.1-KB974405-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/09_Windows6.1-KB974405-x86.msu">Windows6.1-KB974405-x86.msu</a></td></tr>
<tr><td>KB974674</td><td style="text-align:left">Windows NTBackup Restore Utility</td><td style="text-align:left">The Windows NTBackup Restore Utility for Windows 7 SP1 restores backups that are made on Windows XP and on Windows Server 2003 to computers that are running Windows 7 and Windows Server 2008 R2.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/10_Windows6.1-KB974674-x64.msu">Windows6.1-KB974674-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/10_Windows6.1-KB974674-x86.msu">Windows6.1-KB974674-x86.msu</a></td></tr>
<tr><td>KB981390</td><td style="text-align:left">Windows Server Update Services Best Practices Analyzer</td><td style="text-align:left">You can use the Windows Server Update Services (WSUS) update for Best Practices Analyzer to scan a server that is running WSUS. A BPA scan of WSUS can help you determine whether WSUS was properly installed and configured on your server. Scan results are displayed as a list of issues that you can sort by severity, and results include recommendations for fixing issues and links to instructions. No configuration changes are made by running the scan.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/11_Windows6.1-KB981390-x64.msu">Windows6.1-KB981390-x64.msu</a></td></tr>
<tr><td>KB981392</td><td style="text-align:left">Application Server Best Practices Analyzer</td><td style="text-align:left">You can use the Application Server update for Best Practices Analyzer to scan a server that is running the Application Server role. BPA can help you determine whether Application Server was installed correctly on a server. Scan results are displayed as a list of issues that you can sort by severity, and results include recommendations for fixing issues and links to instructions. No configuration changes are made by running the scan.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/12_Windows6.1-KB981392-x64.msu">Windows6.1-KB981392-x64.msu</a></td></tr>
<tr><td>KB2386667</td><td style="text-align:left">Application Server Best Practices Analyzer Rules Revision</td><td style="text-align:left">Install this update to revise the rules of the Best Practice Analyzer (BPA) for the Application Server role.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/13_Windows6.1-KB2386667-x64.msu">Windows6.1-KB2386667-x64.msu</a></td></tr>
<tr><td>KB2666914</td><td style="text-align:left">DirectAccess Connectivity Assistant 2.0</td><td style="text-align:left">The Microsoft DirectAccess Connectivity Assistant (DCA) version 2.0 is used by DirectAccess client computers running Windows 7, to connect to Windows Server 2012 servers running DirectAccess.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/14_Windows6.1-KB2666914-x64.msu">Windows6.1-KB2666914-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/14_Windows6.1-KB2666914-x86.msu">Windows6.1-KB2666914-x86.msu</a></td></tr>
<tr><td>KB2790621</td><td style="text-align:left">Windows Server Essentials Connector</td><td style="text-align:left">Windows Server Essentials Connector is software that helps you connect your PC or Mac client to Windows Server 2012 R2 with the Windows Server Essentials Experience server role enabled. It also enables and manages key client-side functionality of Windows Server Essentials Experience.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/15_Windows6.1-KB2790621-x64.msu">Windows6.1-KB2790621-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/15_Windows6.1-KB2790621-x86.msu">Windows6.1-KB2790621-x86.msu</a></td></tr>
<tr><td>KB2891638</td><td style="text-align:left">Work Folders For Windows</td><td style="text-align:left">Work Folders is a place to store your work files so that you can open them from all computers and devices, even when you are offline.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/16_Windows6.1-KB2891638-x64.msu">Windows6.1-KB2891638-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/16_Windows6.1-KB2891638-x86.msu">Windows6.1-KB2891638-x86.msu</a></td></tr>
<tr><td>KB2959936</td><td style="text-align:left">Embedded Lockdown Manager Feature Set Update</td><td style="text-align:left">Embedded Lockdown Manager uses Windows Management Instrumentation (WMI) providers to detect and change configuration settings and can export the settings to PowerShell scripts.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/17_Windows6.1-KB2959936-x64.msu">Windows6.1-KB2959936-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/17_Windows6.1-KB2959936-x86.msu">Windows6.1-KB2959936-x86.msu</a></td></tr>
<tr><td>KB2990999</td><td style="text-align:left">Internet Explorer 11 Web Driver Tool</td><td style="text-align:left">The IE WebDriver Tool enables developers to create automated tests that simulate users interacting with webpages and report back results in Internet Explorer 11. It can also manage testing across multiple windows, tabs, and webpages in a single session.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/18_Windows6.1-KB2990999-x64.msu">Windows6.1-KB2990999-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/18_Windows6.1-KB2990999-x86.msu">Windows6.1-KB2990999-x86.msu</a></td></tr>
<tr><td>KB3191566</td><td style="text-align:left">Windows Management Framework 5.1</td><td style="text-align:left">Windows Management Framework 5.1 includes updates to Windows PowerShell, Windows PowerShell Desired State Configuration (DSC), Windows Remote Management (WinRM), and Windows Management Instrumentation (WMI).</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/19_Windows6.1-KB3191566-x64.msu">Windows6.1-KB3191566-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/02_Features/19_Windows6.1-KB3191566-x86.msu">Windows6.1-KB3191566-x86.msu</a></td></tr>
</tbody></table>
<h3 id="installing-the-ad-lds-optional-feature">Installing the AD LDS Optional Feature</h3>
<p>The next table describes the updates required to enable and patch AD LDS.</p>
<p>There is an issue if the AD LDS feature is installed after Windows 7 SP1. If this situation occurs, updates included within the Convenience Rollup (SP2) do not apply correctly. Therefore, these updates need to be installed manually to fully update the feature. More details can be found <a href="http://windows-update-checker.com/FAQ/ConvenienceRollupKB3125574-Issues.htm">here</a>.</p>
<p>There are a dozen different updates related to AD LDS on Windows 7 SP1. However, after careful analysis, only half of them have components not replaced by other updates. These unnecessary updates related to AD LDS are: KB2898997, KB2922852, KB3042816, KB3160352 , KB3184471, and KB3198591. The required updates are listed in the table below.</p>
<blockquote>
<p>After installing the first AD LDS Update (KB975541), an update may appear as available in Windows Update (KB2853587). However, this update is not required and is replaced with KB3012660. Once KB3012660 is installed, KB2853587 will no longer appear in Windows Update.</p>
</blockquote>
<blockquote>
<p>After installing the first AD LDS Update (KB975541), another update may appear as available in Windows Update (KB3184471). However, this update is not required and is replaced with the latest ESU Windows 7 Cumulative Update. Once that is installed, KB3184471 will no longer appear in Windows Update.</p>
</blockquote>
<table style="text-align:center"><colgroup><col width="8%" /><col width="17%" /><col width="53%" /><col width="22%" /></colgroup>
<thead><tr><th style="text-align:center">KB Number</th><th style="text-align:center">Name</th><th style="text-align:center">Description</th><th style="text-align:center">Download</th></tr></thead><tbody>
<tr><td>KB975541</td><td style="text-align:left">AD LDS Feature</td><td style="text-align:left">Active Directory Lightweight Directory Services (AD LDS) provides directory services for directory-enabled applications.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/01_Windows6.1-KB975541-x64.msu">Windows6.1-KB975541-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/01_Windows6.1-KB975541-x86.msu">Windows6.1-KB975541-x86.msu</a></td></tr>
<tr><td>KB2462137</td><td style="text-align:left">AD MMC & ADAC Country Update</td><td style="text-align:left">The Active Directory Users and Computers MMC snap-in and Active Directory Administrative Center display Serbia and Montenegro as one country instead of as two countries in Windows 7 SP1.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/02_Windows6.1-KB2462137-v2-x64.msu">Windows6.1-KB2462137-v2-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/02_Windows6.1-KB2462137-v2-x86.msu">Windows6.1-KB2462137-v2-x86.msu</a></td></tr>
<tr><td>KB2539513</td><td style="text-align:left">Repadmin Indefinate Query</td><td style="text-align:left">The repadmin command keeps running when you try to look up the users who have their passwords stored on the RODC.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/03_Windows6.1-KB2539513-x64.msu">Windows6.1-KB2539513-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/03_Windows6.1-KB2539513-x86.msu">Windows6.1-KB2539513-x86.msu</a></td></tr>
<tr><td>KB2589154</td><td style="text-align:left">AD MMC RODC Update</td><td style="text-align:left">Active Directory Users and Computers MMC snap-in crashes when you try to remove an RODC in Windows 7 SP1.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/04_Windows6.1-KB2589154-x64.msu">Windows6.1-KB2589154-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/04_Windows6.1-KB2589154-x86.msu">Windows6.1-KB2589154-x86.msu</a></td></tr>
<tr><td>KB2647644</td><td style="text-align:left">AD Certificate Use Issuer Update</td><td style="text-align:left">You cannot clear the "Use Issuer for alternate security identity" check box in Windows 7 SP1.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/05_Windows6.1-KB2647644-v2-x64.msu">Windows6.1-KB2647644-v2-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/05_Windows6.1-KB2647644-v2-x86.msu">Windows6.1-KB2647644-v2-x86.msu</a></td></tr>
<tr><td>KB2790338</td><td style="text-align:left">AD FS Update Rollup 3</td><td style="text-align:left">Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/06_Windows6.1-KB2790338-v2-x64.msu">Windows6.1-KB2790338-v2-x64.msu</a></td></tr>
<tr><td>KB3012660</td><td style="text-align:left">Unable to install Security Update KB2853587</td><td style="text-align:left">"The update is not applicable to your computer" error when you install update 2853587 in Windows 7 SP1 with AD LDS.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/07_Windows6.1-KB3012660-x64.msu">Windows6.1-KB3012660-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/03_Feature_AD_LDS/07_Windows6.1-KB3012660-x86.msu">Windows6.1-KB3012660-x86.msu</a></td></tr>
</tbody></table>
<h3 id="installing-the-convenience-rollup-sp2-and-running-the-system-update-readiness-tool">Installing the Convenience Rollup (SP2) and running the System Update Readiness Tool</h3>
<p>There are two large updates that can be applied next. The first is the Windows 7 Convenience Rollup, which is also considered SP2 for Windows 7 and includes a collection of hotfixes and updates. The second update is the System Update Readiness Tool. This update will not show as installed, so this is included to be executed once (verifying SP2 installation integrity).</p>
<blockquote>
<p>After installing Service Pack 2 (KB3125574), an update may appear as available in Windows Update (KB4539601). However, this update is not required and is replaced with the latest ESU Windows 7 Cumulative Update. Once that is installed, KB4539601 will no longer appear in Windows Update.</p>
</blockquote>
<table style="text-align:center"><colgroup><col width="8%" /><col width="17%" /><col width="53%" /><col width="22%" /></colgroup>
<thead><tr><th style="text-align:center">KB Number</th><th style="text-align:center">Name</th><th style="text-align:center">Description</th><th style="text-align:center">Download</th></tr></thead><tbody>
<tr><td>KB3125574</td><td style="text-align:left">Service Pack 2</td><td style="text-align:left">This rollup package includes most updates that were released after the release of SP1 for Windows 7, through April 2016, intended to make it easy to integrate these fixes.</td><td>Windows6.1-KB3125574-v4-x64.msu<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/01_Windows6.1-KB3125574-v4-x64.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/01_Windows6.1-KB3125574-v4-x64.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/01_Windows6.1-KB3125574-v4-x64.zip.003">Part 3</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/01_Windows6.1-KB3125574-v4-x64.zip.004">Part 4</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/01_Windows6.1-KB3125574-v4-x64.zip.005">Part 5</a><br /> <br />Windows6.1-KB3125574-v4-x86.msu<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/01_Windows6.1-KB3125574-v4-x86.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/01_Windows6.1-KB3125574-v4-x86.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/01_Windows6.1-KB3125574-v4-x86.zip.003">Part 3</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/01_Windows6.1-KB3125574-v4-x86.zip.004">Part 4</a></td></tr>
<tr><td>KB947821</td><td style="text-align:left">System Update Readiness Tool</td><td style="text-align:left">This tool fixes inconsistencies found in the Windows servicing store which may prevent the successful installation of future updates, service packs, and software.</td><td>Windows6.1-KB947821-v34-x64.msu<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/02_Windows6.1-KB947821-v34-x64.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/02_Windows6.1-KB947821-v34-x64.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/02_Windows6.1-KB947821-v34-x64.zip.003">Part 3</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/02_Windows6.1-KB947821-v34-x64.zip.004">Part 4</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/02_Windows6.1-KB947821-v34-x64.zip.005">Part 5</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/02_Windows6.1-KB947821-v34-x64.zip.006">Part 6</a><br /> <br /> Windows6.1-KB947821-v34-x86.msu<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/02_Windows6.1-KB947821-v34-x86.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/02_Windows6.1-KB947821-v34-x86.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/04_SP2/02_Windows6.1-KB947821-v34-x86.zip.003">Part 3</a></td></tr>
</tbody></table>
<h3 id="optional-software-updates">Optional Software Updates</h3>
<p>There are seven Windows 7 optional software updates that do not require an ESU license to install.</p>
<table style="text-align:center"><colgroup><col width="8%" /><col width="17%" /><col width="53%" /><col width="22%" /></colgroup>
<thead><tr><th style="text-align:center">Version</th><th style="text-align:center">Name</th><th style="text-align:center">Description</th><th style="text-align:center">Download</th></tr></thead><tbody>
<tr><td>5.3.0.0</td><td style="text-align:left">Attack Surface Analyzer</td><td style="text-align:left">Attack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/01_Attack_Surface_Analyzer_x64.msi">Attack-Surface-Analyzer-x64.msi</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/01_Attack_Surface_Analyzer_x86.msi">Attack-Surface-Analyzer-x86.msi</a></td></tr>
<tr><td>5.52</td><td style="text-align:left">Enhanced Mitigation Experience Toolkit</td><td style="text-align:left">The Enhanced Mitigation Experience Toolkit (EMET) helps raise the bar against attackers gaining access to computer systems. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software. EMET benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/02_EMET_Setup.msi">EMET-Setup.msi</a></td></tr>
<tr><td>12.0.0.0</td><td style="text-align:left">Enterprise Mode Internet Explorer Site List Manager</td><td style="text-align:left">This tool lets IT Professionals create and update the Enterprise Mode Site List in the version 2.0 (v.2) XML schema. The Enterprise Mode schema has been updated to v.2 to be easier to read and to provide a better foundation for future capabilities.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/03_EMIESiteListManager.msi">EM-IE-Site-List-Manager.msi</a></td></tr>
<tr><td>10.0.237.0</td><td style="text-align:left">Windows Journal</td><td style="text-align:left">Windows Journal has been removed from certain versions of the Windows Operating System. This update allows users to install Windows Journal on versions of Windows where it has been removed.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/04_Journal_en-us_x64.msi">Journal-en-us-x64.msi</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/04_Journal_en-us_x86.msi">Journal-en-us-x86.msi</a></td></tr>
<tr><td>2.3.2208</td><td style="text-align:left">Microsoft Baseline Security Analyzer</td><td style="text-align:left">The Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/05_MBSASetup-x64-EN.msi">MBSA-Setup-x64-EN.msi</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/05_MBSASetup-x86-EN.msi">MBSA-Setup-x86-EN.msi</a></td></tr>
<tr><td>6.3.9723.0</td><td style="text-align:left">Microsoft Camera Codec Pack</td><td style="text-align:left">The Microsoft Camera Codec Pack enables the viewing of a variety of device-specific file formats in Windows Live Photo Gallery as well as other software that is based in Windows Imaging Codecs (WIC). Installing this package will allow supported RAW camera files to be viewable in Windows Explorer.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/06_MicrosoftCameraCodecPack-x64.msi">Microsoft-Camera-Codec-Pack-x64.msi</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/06_MicrosoftCameraCodecPack-x86.msi">Microsoft-Camera-Codec-Pack-x86.msi</a></td></tr>
<tr><td>10.0.7063.0</td><td style="text-align:left">Utilities and SDK for Subsystem for UNIX-based Applications</td><td style="text-align:left">Utilities and SDK for Subsystem for UNIX-based Applications (SUA) includes the following base utilities, software development kits (SDKs), and shells for use with Subsystem for UNIX-based Applications: Base subsystem commands and utilities, SVR-5 commands and utilities, Base subsystem SDK, GNU SDK, GNU commands and utilities, SCO commands and utilities, UNIX-based Perl, Microsoft Visual Studio® Debugger Extension for debugging POSIX applications, Korn and C shells, and Subsystem for UNIX-based Applications HTML Help files (\*.chm). This release allows you to develop x64-based applications by using SUA, and develop and port custom UNIX-based applications to Windows by using the Windows OCI (Oracle Call Interface) and Windows ODBC libraries.</td><td>Utilities-and-SDK-for-Subsystem-for-UNIX-based-Applications-AMD64.exe<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/07_Utilities_and_SDK_for_Subsystem_for_UNIX-based_Applications_AMD64.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/07_Utilities_and_SDK_for_Subsystem_for_UNIX-based_Applications_AMD64.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/07_Utilities_and_SDK_for_Subsystem_for_UNIX-based_Applications_AMD64.zip.003">Part 3</a><br /> <br />Utilities-and-SDK-for-Subsystem-for-UNIX-based-Applications-X86.exe<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/07_Utilities_and_SDK_for_Subsystem_for_UNIX-based_Applications_X86.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/07_Utilities_and_SDK_for_Subsystem_for_UNIX-based_Applications_X86.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/05_Optional_Software_Updates/07_Utilities_and_SDK_for_Subsystem_for_UNIX-based_Applications_X86.zip.003">Part 3</a></td></tr>
</tbody></table>
<h3 id="non-esu-sp2-hotfixes">Non-ESU SP2 Hotfixes</h3>
<p>There are six hotfixes available to update components after Service Pack 2 has been installed. These do not require an ESU license to install.</p>
<table style="text-align:center"><colgroup><col width="8%" /><col width="17%" /><col width="53%" /><col width="22%" /></colgroup>
<thead><tr><th style="text-align:center">KB Number</th><th style="text-align:center">Name</th><th style="text-align:center">Description</th><th style="text-align:center">Download</th></tr></thead><tbody>
<tr><td>KB2818604</td><td style="text-align:left">AMD Microcode Update</td><td style="text-align:left">A microcode update is available for Windows 7-based computers that use AMD processors.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/01_Windows6.1-KB2818604-x64.msu">Windows6.1-KB2818604-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/01_Windows6.1-KB2818604-x86.msu">Windows6.1-KB2818604-x86.msu</a></td></tr>
<tr><td>KB3046480</td><td style="text-align:left">.NET Framework 1.1 Migration Check</td><td style="text-align:left">This update enables the system to determine whether to migrate the Microsoft .NET Framework 1.1 to a later version of Windows when you upgrade from Windows 7 to a later version of Windows. This determination is based on the usage of the .NET Framework 1.1.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/02_Windows6.1-KB3046480-x64.msu">Windows6.1-KB3046480-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/02_Windows6.1-KB3046480-x86.msu">Windows6.1-KB3046480-x86.msu</a></td></tr>
<tr><td>KB3064209</td><td style="text-align:left">Intel Microcode Update</td><td style="text-align:left">June 2015 Intel CPU microcode update for Windows.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/03_Windows6.1-KB3064209-x64.msu">Windows6.1-KB3064209-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/03_Windows6.1-KB3064209-x86.msu">Windows6.1-KB3064209-x86.msu</a></td></tr>
<tr><td>KB4072650</td><td style="text-align:left">Hyper-V Integration Components Update</td><td style="text-align:left">This update installs the latest integrated components for Windows 7 Guest Virtual Machines (VMs) that are running on a Windows 10-based or Windows Server 2016-based host, or a Windows Server 2012 R2-based host.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/bin/04_Windows6.1-KB4072650-x64.cab">Windows6.1-KB4072650-x64.cab</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/bin/04_Windows6.1-KB4072650-x86.cab">Windows6.1-KB4072650-x86.cab</a></td></tr>
<tr><td>KB4524752</td><td style="text-align:left">Windows 7 SP1 Support Notification</td><td style="text-align:left">After 10 years of servicing, January 14, 2020 is the last day Microsoft will offer security updates for computers that run Windows 7 Service Pack 1 (SP1). This update enables reminders about Windows 7 end of support.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/05_Windows6.1-KB4524752-x64.msu">Windows6.1-KB4524752-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/05_Windows6.1-KB4524752-x86.msu">Windows6.1-KB4524752-x86.msu</a></td></tr>
<tr><td>KB4578847</td><td style="text-align:left">Update for Application and Device Compatibility</td><td style="text-align:left">Adds functionality for evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/06_Windows6.1-KB4578847-x64.msu">Windows6.1-KB4578847-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/06_Non_ESU_Hotfixes/06_Windows6.1-KB4578847-x86.msu">Windows6.1-KB4578847-x86.msu</a></td></tr>
</tbody></table>
<h3 id="esu-updates">ESU Updates</h3>
<p>This section describes the latest ESU updates available for Windows 7. All of these updates are cumulative containing fixes from all previous versions of the updates. An ESU license is required to install these updates, and only the latest one needs to be installed.</p>
<table style="text-align:center"><colgroup><col width="8%" /><col width="17%" /><col width="53%" /><col width="22%" /></colgroup>
<thead><tr><th style="text-align:center">KB Number</th><th style="text-align:center">Name</th><th style="text-align:center">Description</th><th style="text-align:center">Download</th></tr></thead><tbody>
<tr><td>KB5034865</td><td style="text-align:left">February 2024 Servicing Stack Update</td><td style="text-align:left">This update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) makes sure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/01_Windows6.1-KB5034865-x64.msu">Windows6.1-KB5034865-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/01_Windows6.1-KB5034865-x86.msu">Windows6.1-KB5034865-x86.msu</a></td></tr>
<tr><td>KB5035888*</td><td style="text-align:left">March 2024 Windows 7 Cumulative Update</td><td style="text-align:left">Security and Quality Rollup for Windows 7 SP1.</td><td>Windows6.1-KB5035888-x64.msu<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/02_Windows6.1-KB5035888-x64.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/02_Windows6.1-KB5035888-x64.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/02_Windows6.1-KB5035888-x64.zip.003">Part 3</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/02_Windows6.1-KB5035888-x64.zip.004">Part 4</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/02_Windows6.1-KB5035888-x64.zip.005">Part 5</a><br /> <br />Windows6.1-KB5035888-x86.msu<br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/02_Windows6.1-KB5035888-x86.zip.001">Part 1</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/02_Windows6.1-KB5035888-x86.zip.002">Part 2</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/02_Windows6.1-KB5035888-x86.zip.003">Part 3</a></td></tr>
<tr><td>KB5033899</td><td style="text-align:left">January 2024 .NET Framework 3.5.1 Update</td><td style="text-align:left">Security and Quality Rollup for .NET Framework 3.5.1 for Windows 7 SP1.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/03_Windows6.1-KB5033899-x64.msu">Windows6.1-KB5033899-x64.msu</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/03_Windows6.1-KB5033899-x86.msu">Windows6.1-KB5033899-x86.msu</a></td></tr>
<tr><td>KB5034615</td><td style="text-align:left">February 2024 .NET Framework 4.8 Update</td><td style="text-align:left">Security and Quality Rollup for .NET Framework 4.8 for Windows 7 SP1.</td><td><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/04_ndp48-KB5034615-x64.exe">ndp48-KB5034615-x64.exe</a><br /><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/07_ESU_Updates/04_ndp48-KB5034615-x86.exe">ndp48-KB5034615-x86.exe</a></td></tr>
</tbody></table>
<p>* Note: a new ESU package has been integrated into this update. For details please see this post: <a href="https://hackandpwn.com/windows-7-esu-analysis-updates/">Windows 7 ESU Analysis Updates</a>.</p>
<h3 id="root-certificate-updates">Root Certificate Updates</h3>
<p>Finally, the latest Microsoft Root Certificates need to be installed into the Local Computer Trusted Root Authority Certificate Store. A batch file to automatically install all certificates and revocation lists can be found here: <a href="https://github.com/HackAndPwn/Windows-7-Patching/blob/master/08_Certs/Import.cmd">Import.cmd</a></p>
<table style="text-align:center"><colgroup><col width="8%" /><col width="16%" /><col width="50%" /></colgroup>
<thead><tr><th style="text-align:center">Date</th><th style="text-align:center">Type</th><th>Download</th></tr></thead><tbody>
<tr><td>2018-08-02</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/MicRooCerAut2011_2011_03_22.crt">MicRooCerAut2011_2011_03_22.crt</a></td></tr>
<tr><td>2018-08-02</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crt">Microsoft ECC Product Root Certificate Authority 2018.crt</a></td></tr>
<tr><td>2018-08-02</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20TS%20Root%20Certificate%20Authority%202018.crt">Microsoft ECC TS Root Certificate Authority 2018.crt</a></td></tr>
<tr><td>2018-08-02</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20Time%20Stamp%20Root%20Certificate%20Authority%202014.crt">Microsoft Time Stamp Root Certificate Authority 2014.crt</a></td></tr>
<tr><td>2020-01-22</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crt">Microsoft ECC Root Certificate Authority 2017.crt</a></td></tr>
<tr><td>2020-01-22</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crt">Microsoft EV ECC Root Certificate Authority 2017.crt</a></td></tr>
<tr><td>2020-01-22</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crt">Microsoft RSA Root Certificate Authority 2017.crt</a></td></tr>
<tr><td>2020-01-22</td><td>Certificate</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20EV%20RSA%20Root%20Certificate%20Authority%202017.crt">Microsoft EV RSA Root Certificate Authority 2017.crt</a></td></tr>
<tr><td>2024-01-03</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20RSA%20Root%20Certificate%20Authority%202017.crl">Microsoft RSA Root Certificate Authority 2017.crl</a></td></tr>
<tr><td>2024-01-06</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20EV%20ECC%20Root%20Certificate%20Authority%202017.crl">Microsoft EV ECC Root Certificate Authority 2017.crl</a></td></tr>
<tr><td>2024-01-06</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20EV%20RSA%20Root%20Certificate%20Authority%202017.crl">Microsoft EV RSA Root Certificate Authority 2017.crl</a></td></tr>
<tr><td>2024-01-24</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20Time%20Stamp%20Root%20Certificate%20Authority%202014.crl">Microsoft Time Stamp Root Certificate Authority 2014.crl</a></td></tr>
<tr><td>2024-02-14</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20Root%20Certificate%20Authority%202017.crl">Microsoft ECC Root Certificate Authority 2017.crl</a></td></tr>
<tr><td>2024-03-04</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/MicRooCerAut_2010-06-23.crl">MicRooCerAut_2010-06-23.crl</a></td></tr>
<tr><td>2024-03-12</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl">Microsoft ECC Product Root Certificate Authority 2018.crl</a></td></tr>
<tr><td>2024-03-12</td><td>Revocation List</td><td style="text-align:left"><a href="https://github.com/HackAndPwn/Windows-7-Patching/raw/master/08_Certs/Microsoft%20ECC%20TS%20Root%20Certificate%20Authority%202018.crl">Microsoft ECC TS Root Certificate Authority 2018.crl</a></td></tr>
</tbody></table>
<h3 id="conclusion">Conclusion</h3>
<p>Once these updates are installed on top of an up-to-date Windows 7 SP1 installation, the OS has been completely updated with hotfixes and optional features. All of these updates can be found on this GitHub repository: <a href="https://github.com/HackAndPwn/Windows-7-Patching">Windows 7 Patching</a>.</p>
<p>The goal is to keep this list updated as changes are introduced. Please reach out to me via <a href="https://twitter.com/HackAndPwn">X</a> or <a href="https://github.com/HackAndPwn">GitHub</a> if there is an update that is missing, if there is an update in this list that you feel may not be needed, or if there are any other questions or feedback.</p>
<h3 id="update-2024-03-25">Update 2024-03-25</h3>
<ul>
<li>Replaced February 2024 Monthly Update (KB5034831) with March 2024 Monthly Update (KB5035888).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
</ul>
<p>For previous updates to this post, see <a href="https://hackandpwn.com/windows-7-esu-patching-changelog/">Windows 7 ESU Patching Changelog</a>.</p>
Windows 8.1 and Windows Server 2012 R2 ESU Analysis Changelog2024-01-21T00:00:00+00:00https://hackandpwn.com/windows-8.1-and-2012-r2-esu-analysis-changelog<h3 id="update-2024-02-16">Update 2024-02-16</h3>
<ul>
<li>Replaced January 2024 Servicing Stack Update (KB5034587) with February 2024 Servicing Stack Update (KB5034866).</li>
<li>Replaced January 2024 Monthly Update (KB5034171) with February 2024 Monthly Update (KB5034819).</li>
<li>Replaced January 2024 .NET Framework 4.8 Update (KB5033915) with February 2024 .NET Framework 4.8 Update (KB5034617).</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
<li>Replaced January 2024 Manifest, Components Registry Key, and SideBySide Registry Key (6.3.9600.21765) with February 2024 (6.3.9600.21813).</li>
<li>Added commands for importing the Manifest file.</li>
</ul>
CVE-2022-364152022-07-20T00:00:00+00:00https://hackandpwn.com/cve-2022-36415<p>A DLL hijacking vulnerability exists in the uninstaller in Scooter Beyond Compare 1.8a through 4.4.2 before 4.4.3 when installed via the EXE installer. The uninstaller attempts to load DLLs out of a Windows Temp folder. If a standard user places malicious DLLs in the C:\Windows\Temp\ folder, and then the uninstaller is run as SYSTEM, the DLLs will execute with elevated privileges.</p>
<p><a href="https://www.scootersoftware.com/support.php?zz=kb_security_2022-02">Scooter Software Security Bulletin</a></p>
CVE-2022-364142022-07-20T00:00:00+00:00https://hackandpwn.com/cve-2022-36414<p>There is an elevation of privilege breakout vulnerability in the Windows EXE installer in Scooter Beyond Compare 4.2.0 through 4.4.2 before 4.4.3. Affected versions allow a logged-in user to run applications with elevated privileges via the Clipboard Compare tray app after installation.</p>
<p><a href="https://www.scootersoftware.com/support.php?zz=kb_security_2022-01">Scooter Software Security Bulletin</a></p>
CVE-2022-305702022-07-19T00:00:00+00:00https://hackandpwn.com/cve-2022-30570<p>The Column Based Security component of TIBCO Software Inc.’s TIBCO Data Virtualization and TIBCO Data Virtualization for AWS Marketplace contains an easily exploitable vulnerability that allows a low privileged attacker with network access to obtain read access to application information on the affected system. Affected releases are TIBCO Software Inc.’s TIBCO Data Virtualization: versions 8.5.2 and below and TIBCO Data Virtualization for AWS Marketplace: versions 8.5.2 and below.</p>
<p><a href="https://www.tibco.com/support/advisories/2022/06/tibco-security-advisory-july-19-2022-tdv-cve-2022-30570">TIBCO Security Bulletin</a></p>
CVE-2022-310122022-07-12T00:00:00+00:00https://hackandpwn.com/cve-2022-31012<p>Git for Windows is a fork of Git that contains Windows-specific patches. This vulnerability in versions prior to 2.37.1 lets Git for Windows’ installer execute a binary into C:\mingw64\bin\git.exe by mistake. This only happens upon a fresh install, not when upgrading Git for Windows. A patch is included in version 2.37.1. Two workarounds are available. Create the C:\mingw64 folder and remove read/write access from this folder, or disallow arbitrary authenticated users to create folders in C:.</p>
<p><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-gjrj-fxvp-hjj2">Git Security Bulletin</a></p>
CVE-2022-21452022-06-27T00:00:00+00:00https://hackandpwn.com/cve-2022-2145<p>Cloudflare WARP client for Windows (up to v. 2022.5.309.0) allowed creation of mount points from its ProgramData folder. During installation of the WARP client, it was possible to escalate privileges and overwrite SYSTEM protected files.</p>
<p><a href="https://github.com/cloudflare/advisories/security/advisories/GHSA-6fpc-qxmr-6wrq">Cloudflare Security Bulletin</a></p>
CVE-2022-290942022-06-09T00:00:00+00:00https://hackandpwn.com/cve-2022-29094<p>Dell SupportAssist Client Consumer versions (3.10.4 and versions prior) and Dell SupportAssist Client Commercial versions (3.1.1 and versions prior) contain an arbitrary file deletion/overwrite vulnerability. Authenticated non-admin user could exploit the issue and delete or overwrite arbitrary files on the system.</p>
<p><a href="https://www.dell.com/support/kbdoc/en-us/000200456/dsa-2022-139-dell-supportassist-for-home-pcs-and-business-pcs-security-update-for-multiple-security-vulnerabilities">Dell Security Bulletin</a></p>
CVE-2022-290932022-06-09T00:00:00+00:00https://hackandpwn.com/cve-2022-29093<p>Dell SupportAssist Client Consumer versions (3.10.4 and versions prior) and Dell SupportAssist Client Commercial versions (3.1.1 and versions prior) contain an arbitrary file deletion vulnerability. Authenticated non-admin user could exploit the issue and delete arbitrary files on the system.</p>
<p><a href="https://www.dell.com/support/kbdoc/en-us/000200456/dsa-2022-139-dell-supportassist-for-home-pcs-and-business-pcs-security-update-for-multiple-security-vulnerabilities">Dell Security Bulletin</a></p>
CVE-2022-268652022-04-26T00:00:00+00:00https://hackandpwn.com/cve-2022-26865<p>Dell Support Assist OS Recovery versions before 5.5.2 contain an Authentication Bypass vulnerability. An unauthenticated attacker with physical access to the system may exploit this vulnerability by bypassing OS Recovery authentication in order to run arbitrary code on the system as Administrator.</p>
<p><a href="https://www.dell.com/support/kbdoc/en-us/000198780/dsa-2022-102">Dell Security Bulletin</a></p>
CVE-2022-282472022-04-12T00:00:00+00:00https://hackandpwn.com/cve-2022-28247<p>Acrobat Reader DC version 22.001.2011x (and earlier), 20.005.3033x (and earlier) and 17.012.3022x (and earlier) are affected by an uncontrolled search path vulnerability that could lead to local privilege escalation. Exploitation of this issue requires user interaction in that a victim must run the uninstaller with Admin privileges.</p>
<p><a href="https://helpx.adobe.com/security/products/acrobat/apsb22-16.html">Adobe Security Bulletin</a></p>
CVE-2022-247672022-04-12T00:00:00+00:00https://hackandpwn.com/cve-2022-24767<p>Git for Windows is a fork of Git containing Windows-specific patches. Since part of Git for Windows’ uninstaller is copied into the current user’s temporary directory and run in that place, it is important to ensure that there are no malicious .dll file in that directory that might be loaded as part of loading the executable. However, the default system settings for TMP and TEMP are to point to C:\Windows\Temp, a folder that is world-writable (for historical reasons), and the SYSTEM user account inherits those settings. This means that any authenticated user can place malicious .dll files that are loaded when Git for Windows’ uninstaller is run via the SYSTEM account. Fixes are available in Git for Windows v2.35.2 or newer. Users unable to upgrade may override SYSTEM’s TMP environment variable to point to a directory exclusively under SYSTEM’s control before running the uninstaller, clear C:\Windows\Temp of all .dll files before running the uninstaller, or run the uninstaller under an admin account rather than SYSTEM as a workaround.</p>
<p><a href="https://github.com/git-for-windows/git/security/advisories/GHSA-gf48-x3vr-j5c3">Git Security Bulletin</a></p>
CVE-2022-226652022-03-14T00:00:00+00:00https://hackandpwn.com/cve-2022-22665<p>Apple macOS AppKit - A malicious application may be able to gain root privileges.</p>
<p><a href="https://support.apple.com/en-us/HT213184">Apple Security Bulletin</a></p>
CVE-2022-245252022-03-08T00:00:00+00:00https://hackandpwn.com/cve-2022-24525<p>Windows Update Stack Elevation of Privilege Vulnerability</p>
<p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-24525">Microsoft Security Bulletin</a></p>
CVE-2022-264882022-03-07T00:00:00+00:00https://hackandpwn.com/cve-2022-26488<p>In Python before 3.10.3 on Windows, local users can gain privileges because the search path is inadequately secured. The installer may allow a local attacker to add user-writable directories to the system search path. To exploit, an administrator must have installed Python for all users and enabled PATH entries. A non-administrative user can trigger a repair that incorrectly adds user-writable paths into PATH, enabling search-path hijacking of other users and system services. This affects Python (CPython) through 3.7.12, 3.8.x through 3.8.12, 3.9.x through 3.9.10, and 3.10.x through 3.10.2.</p>
<p><a href="https://mail.python.org/archives/list/security-announce@python.org/thread/657Z4XULWZNIY5FRP3OWXHYKUSIH6DMN/">Python Security Bulletin</a></p>
CVE-2022-229432022-03-01T00:00:00+00:00https://hackandpwn.com/cve-2022-22943<p>VMware Tools for Windows (11.x.y and 10.x.y prior to 12.0.0) contains an uncontrolled search path vulnerability. A malicious actor with local administrative privileges in the Windows guest OS, where VMware Tools is installed, may be able to execute code with system privileges in the Windows guest OS due to an uncontrolled search path element.</p>
<p><a href="https://www.vmware.com/security/advisories/VMSA-2022-0007.html">VMware Security Bulletin</a></p>
CVE-2021-425632021-11-12T00:00:00+00:00https://hackandpwn.com/cve-2021-42563<p>There is an Unquoted Service Path in NI Service Locator (nisvcloc.exe) in versions prior to 18.0 on Windows. This may allow an authorized local user to insert arbitrary code into the unquoted service path and escalate privileges.</p>
<p><a href="https://www.ni.com/en-us/support/documentation/supplemental/21/unquoted-service-path-in-ni-service-locator.html">NI Security Bulletin</a></p>
CVE-2021-344132021-10-24T00:00:00+00:00https://hackandpwn.com/cve-2021-34413<p>Zoom MacOS Outlook Plugin Installer Local Privilege Escalation - All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context.</p>
<p><a href="https://explore.zoom.us/en/trust/security/security-bulletin/">Zoom Security Bulletin</a></p>
CVE-2021-344122021-10-24T00:00:00+00:00https://hackandpwn.com/cve-2021-34412<p>Zoom for Windows Installer Local Privilege Escalation - During the installation process for all versions of the Zoom Client for Meetings for Windows before 5.4.0, it is possible to launch Internet Explorer. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.</p>
<p><a href="https://explore.zoom.us/en/trust/security/security-bulletin/">Zoom Security Bulletin</a></p>
CVE-2021-344112021-10-24T00:00:00+00:00https://hackandpwn.com/cve-2021-34411<p>Zoom Rooms Installer Local Privilege Escalation - During the installation process for Zoom Rooms for Conference Room for Windows before version 5.3.0 it is possible to launch Internet Explorer with elevated privileges. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.</p>
<p><a href="https://explore.zoom.us/en/trust/security/security-bulletin/">Zoom Security Bulletin</a></p>
CVE-2021-220382021-10-19T00:00:00+00:00https://hackandpwn.com/cve-2021-22038<p>On Windows, the uninstaller binary copies itself to a fixed temporary location, which is then executed (the originally called uninstaller exits, so it does not block the installation directory). This temporary location is not randomized and does not restrict access to Administrators only so a potential attacker could plant a binary to replace the copied binary right before it gets called, thus gaining Administrator privileges (if the original uninstaller was executed as Administrator). The vulnerability only affects Windows installers.</p>
<p><a href="https://blog.installbuilder.com/2021/10/installbuilder-2160-released.html">InstallBuilder Security Bulletin</a></p>
CVE-2021-220372021-10-19T00:00:00+00:00https://hackandpwn.com/cve-2021-22037<p>Under certain circumstances, when manipulating the Windows registry, InstallBuilder uses the reg.exe system command. The full path to the command is not enforced, which results in a search in the search path until a binary can be identified. This makes the installer/uninstaller vulnerable to Path Interception by Search Order Hijacking, potentially allowing an attacker to plant a malicious reg.exe command so it takes precedence over the system command. The vulnerability only affects Windows installers.</p>
<p><a href="https://blog.installbuilder.com/2021/10/installbuilder-2160-released.html">InstallBuilder Security Bulletin</a></p>
CVE-2021-34410 - Zoom - Incorrect Permission Assignment for Critical Resource2021-09-30T00:00:00+00:00https://hackandpwn.com/cve-2021-34410<p>Zoom Plugin for Microsoft Outlook (MacOS) Installer Root App Privilege Escalation - A user-writable application bundle unpacked during the install for all versions of the Zoom Plugin for Microsoft Outlook for Mac before 5.0.25611.0521 allows for privilege escalation.</p>
<p><a href="https://explore.zoom.us/en/trust/security/security-bulletin/">Zoom Security Bulletin ZSB-21006</a></p>
CVE-2021-34409 - Zoom - Incorrect Permission Assignment for Critical Resource2021-09-30T00:00:00+00:00https://hackandpwn.com/cve-2021-34409<p>MacOS Installer Privilege Escalation - User-writable pre and post-install scripts unpacked during the Zoom Client for Meetings for MacOS installation before version 5.2.0 allow for privilege escalation to root.</p>
<p><a href="https://explore.zoom.us/en/trust/security/security-bulletin/">Zoom Security Bulletin ZSB-21005</a></p>
CVE-2021-34408 - Zoom - Improper Link Resolution Before File Access2021-09-30T00:00:00+00:00https://hackandpwn.com/cve-2021-34408<p>Zoom MSI Installer Elevated Write Using A Junction - A user-writable directory created during the installation of the Zoom Client for Meetings for Windows version prior to version 5.3.2 can be redirected to another location using a junction. This would allow an attacker to overwrite files that a limited user would otherwise be unable to modify.</p>
<p><a href="https://explore.zoom.us/en/trust/security/security-bulletin/">Zoom Security Bulletin ZSB-21004</a></p>
CVE-2021-33907 - Zoom - Improper Certificate Validation2021-09-30T00:00:00+00:00https://hackandpwn.com/cve-2021-33907<p>Windows Zoom Installer Digital Signature Bypass - The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.</p>
<p><a href="https://explore.zoom.us/en/trust/security/security-bulletin/">Zoom Security Bulletin ZSB-21003</a></p>
Windows 7 ESU Analysis2021-08-09T00:00:00+00:00https://hackandpwn.com/windows-7-esu-analysis<p>The Windows 7 free security update window closed to consumers in January of 2020. However, due to the overwhelming popularity of the OS, Microsoft began offering Extended Security Updates (ESU) for the Operating System. The first update preparing a Windows 7 system for this next phase of patches is <a href="https://support.microsoft.com/en-us/help/4528069">KB4528069</a>. This post dissects the KB4528069 update to understand how ESUs differ from standard Windows 7 updates.</p>
<p><br /></p>
<blockquote>
<p>Important: You must obtain an ESU license to apply ESU updates. Details on obtaining an ESU license can be found <a href="https://support.microsoft.com/en-us/help/4497181/lifecycle-faq-extended-security-updates">here</a>. This research was completed for security vulnerability research purposes only following the <a href="https://www.microsoft.com/en-us/msrc/bounty-safe-harbor">Microsoft Legal Safe Harbor Terms</a>. Do not try to reproduce without having the required licenses.</p>
</blockquote>
<p><br /></p>
<h3 id="preparing-the-computer">Preparing The Computer</h3>
<p>To start, I deployed a brand new VM of 64-Bit Windows 7 SP1, resulting in a build from November 19th, 2010 (101119).</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/01.jpg" /></center>
<p>Next, I started checking for updates. This resulted in 182 updates on the first scan.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/02.jpg" /></center>
<p>Some of the updates would not install without manually installing KB4474419 (SHA2 update), KB4490628 (Service Stack update), and KB3138612 (Windows Update Client update).</p>
<p>After many update cycles and reboots, 10 years of updates have been applied.</p>
<p>Finally, no more updates are available, bringing the build to January 2nd, 2020 (200102).</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/03.jpg" /></center>
<p>For good measure I also ran disk cleanup to remove 8 GB of excess files.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/04.jpg" /></center>
<p><br /></p>
<h3 id="installing-kb4528069">Installing KB4528069</h3>
<p>Next, I downloaded and tried to install KB4528069 (Verify Computer Is Ready To Receive Extended Updates). But this fails.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/05.jpg" /></center>
<p>So, I reverted the VM, started up ProcMon, and traced the installation of this update.</p>
<p><br /></p>
<h3 id="manifest-file">Manifest File</h3>
<p>The first thing that I discovered within the trace was a manifest file that was being created, specifically:</p>
<blockquote>
<p>C:\Windows\WinSXS\Manifests\amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.1.7602.20587_none_c8993b883659a816.manifest</p>
</blockquote>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/06.jpg" /></center>
<p>The content of this file shows that it is an important file to keep on the system.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/07.jpg" /></center>
<p>A final note on this file. If you re-examine the ProcMon capture, this file is added but NOT DELETED when the update failed. This will be important later.</p>
<p><br /></p>
<h3 id="components-registry-keys">Components Registry Keys</h3>
<p>The next thing that I noticed was a couple of registry keys being created, specifically:</p>
<blockquote>
<p>[HKEY_LOCAL_MACHINE\Components\DerivedData\Components\amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.1.7602.20587_none_c8993b883659a816]
“identity”=hex:4d,69,63,72,6f,73,6f,66,74,2d,57,69,6e,64,6f,77,73,2d,53,4c,43,2d,43,<br />
6f,6d,70,6f,6e,65,6e,74,2d,45,78,74,65,6e,64,65,64,53,65,63,75,72,69,74,79,55,70,64,61,<br />
74,65,73,41,49,2c,20,43,75,6c,74,75,72,65,3d,6e,65,75,74,72,61,6c,2c,20,56,65,72,73,69,<br />
6f,6e,3d,36,2e,31,2e,37,36,30,32,2e,32,30,35,38,37,2c,20,50,75,62,6c,69,63,4b,65,79,54,<br />
6f,6b,65,6e,3d,33,31,62,66,33,38,35,36,61,64,33,36,34,65,33,35,2c,20,50,72,6f,63,65,73,<br />
73,6f,72,41,72,63,68,69,74,65,63,74,75,72,65,3d,61,6d,64,36,34,2c,20,76,65,72,73,69,6f,<br />
6e,53,63,6f,70,65,3d,4e,6f,6e,53,78,53
“S256H”=hex:e8,4b,2d,35,da,c9,da,c4,7c,70,94,05,e4,e6,4b,00,7d,3e,9d,93,f6,b9,c4,e2,ee,79,bf,b4,cd,c0,7f,f8
“c!1208dabb65a..2207abac32f_31bf3856ad364e35_6.1.7602.20587_85098b546dfae448”=hex:</p>
</blockquote>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/08.jpg" /></center>
<p>The COMPONENTS registry hive is hidden by default, so I manually mounted it to view the referenced registry key.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/09.jpg" /></center>
<p>Navigating to the registry key shows that again, the installation step is not reverted, and the registry keys persist. Checking the ProcMon trace again reconfirms this discovery that the registry key is created, but not removed when the update fails.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/10.jpg" /></center>
<p>This will also be important later.</p>
<p><br /></p>
<h3 id="sidebyside-registry-keys">SideBySide Registry Keys</h3>
<p>Finally, the last important activity I noticed was the modification of registry keys in the Local Machine registry hive. Specifically:</p>
<blockquote>
<p>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_none_0e8b36cfce2fb332\6.1]</p>
</blockquote>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/11.jpg" /></center>
<p>Checking the registry again after the failed update, there is something different about this registry entry. It is missing.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/12.jpg" /></center>
<p>Re-examining the ProcMon trace, we see that this key is created, and then deleted as part of the failed update.</p>
<blockquote>
<p>[ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_none_0e8b36cfce2fb332\6.1]
“6.1.7602.20587”=hex:01</p>
</blockquote>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/13.jpg" /></center>
<p>The other key that is being set during the patch installation is the Default @ value, which temporarily switches to the new build number and then reverts to the old value.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/14.jpg" /></center>
<p><br /></p>
<h3 id="manually-flipping-sidebyside-registry-keys">Manually Flipping SideBySide Registry Keys</h3>
<p>So now that we know the SideBySide registry key switch gets reverted, I manually switch it back to the value KB4528069 is trying to set it to.</p>
<blockquote>
<p>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_none_0e8b36cfce2fb332\6.1]
@=”6.1.7602.20587”
“6.1.7602.20587”=hex:01</p>
</blockquote>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/15.jpg" /></center>
<p>And now if I try to install KB4528069 again…</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/16.jpg" /></center>
<p>The update completes successfully!</p>
<p><br /></p>
<h3 id="bringing-windows-7-up-to-date">Bringing Windows 7 Up To Date</h3>
<p>It is one thing to install a silly update that verifies eligibility. It is another to get additional updates to install. First, I grab the latest SSU from April and try to install it.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/17.jpg" /></center>
<p>This installs successfully. Next, I try to install the latest cumulative update from April.</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/18.jpg" /></center>
<p>This appears to install successfully. However, we will not know if it works until after the reboot. From Microsoft’s Known Issues section in the <a href="https://support.microsoft.com/en-us/help/4537820/windows-7-update-kb4537820">February Cumulative Update</a>:</p>
<blockquote>
<p>After installing this update and restarting your device, you might receive the error, “Failure to configure Windows updates. Reverting Changes. Do not turn off your computer,” and the update might show as Failed in Update History.</p>
</blockquote>
<p>This is a sign that there are issues with the current ESU configuration. However, when we reboot, there are no errors, and the OS build date has successfully increased to March 30th, 2020</p>
<center><img src="/assets/2020-04-28-windows-7-esu-analysis/19.jpg" /></center>
<p><br /></p>
<h3 id="summary">Summary</h3>
<p>What I learned from dissecting this update was that there are 3 important parts to the installation of KB4528069: The manifest file, the Components registry keys, and the SideBySide registry keys. However, 2 of the 3 required parts do not revert upon a failed update. Therefore, to get the update to install properly:</p>
<ol>
<li>Attempt to install KB4528069 and let it fail.</li>
<li>Flip the SideBySide registry key to use the newer SideBySide version.</li>
<li>Attempt to install KB4528069 and it should succeed.</li>
</ol>
<p>After this, the latest servicing stack update and the latest cumulative update can be installed without issue.</p>
<p>Note: Windows Update will not detect available updates unless a valid key has been activated, regardless if the latest servicing stack and cumulative updates have been installed.</p>
<p><br /></p>
<h3 id="update-2020-09-12">Update 2020-09-12</h3>
<p>The September 2020 Cumulative update breaks this technique and it does not install successfully. For an updated workaround, see this post: <a href="https://hackandpwn.com/windows-7-esu-analysis-updates">Windows 7 ESU Analysis Updates</a></p>
<p><br /></p>
<h3 id="update-2021-08-09">Update 2021-08-09</h3>
<p>Support for 32-Bit operating systems has been verified. Links to relevant registry settings and the manifest file have been added.</p>
<p><br /></p>
<h3 id="references">References</h3>
<p>The various files and registry keys used as part of this analysis have been uploaded to GitHub <a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis">here</a>. See below for specific files and links referenced.</p>
<blockquote>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/raw/master/2019_10/windows6.1-kb4528069-x64_b00bef3c3a13b8bc65bfaea63426386dbb54c336.msu">KB4528069 x64</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/raw/master/2019_10/windows6.1-kb4528069-x86_82fedea7537b64f6b147070f53bb95e4bf27d3a5.msu">KB4528069 x86</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/raw/master/2019_10/amd64_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.1.7602.20587_none_c8993b883659a816.manifest">Manifest File x64</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/raw/master/2019_10/x86_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_6.1.7602.20587_none_6c7aa0047dfc36e0.manifest">Manifest File x86</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/raw/master/2019_10/ComponentsRegistryKey_x64.reg">Components Registry Key x64</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/raw/master/2019_10/ComponentsRegistryKey_x86.reg">Components Registry Key x86</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/raw/master/2019_10/SideBySideRegistryKey_x64.reg">SideBySide Registry Key x64</a></p>
<p><a href="https://github.com/HackAndPwn/Windows-7-ESU-Analysis/raw/master/2019_10/SideBySideRegistryKey_x86.reg">SideBySide Registry Key x86</a></p>
</blockquote>
CVE-2020-11632 - Zscaler - Unquoted Search Path or Element2021-07-19T00:00:00+00:00https://hackandpwn.com/cve-2020-11632<p>The Zscaler Client Connector prior to 2.1.2.150 did not quote the search path for services, which allows a local adversary to execute code with system privileges.</p>
<p><a href="https://help.zscaler.com/zscaler-client-connector/client-connector-app-release-summary-2020?applicable_category=Windows&applicable_version=2.1.2.105">Zscaler Release Notes</a></p>
CVE-2021-1496 - Cisco - Creation of Temporary File with Insecure Permissions2021-05-05T00:00:00+00:00https://hackandpwn.com/cve-2021-1496<p>A vulnerability in the install process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform an executable hijacking attack on an affected device.</p>
<p>This vulnerability exists because the application loads an executable file from a user-writable directory. An attacker could exploit this vulnerability by copying a malicious executable file to a specific directory, which would be executed when the application is installed or upgraded. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker needs valid credentials on the Windows system.</p>
<p>Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p>
<p><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-code-exec-jR3tWTA6">Cisco Release Notes</a></p>
CVE-2021-1430 - Cisco - Creation of Temporary File with Insecure Permissions2021-05-05T00:00:00+00:00https://hackandpwn.com/cve-2021-1430<p>A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.</p>
<p>This vulnerability exists because a temporary file with insecure permissions is created during the upgrade process. An attacker could exploit this vulnerability by overwriting the temporary file before it is accessed for execution. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.</p>
<p>Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p>
<p><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-code-exec-jR3tWTA6">Cisco Release Notes</a></p>
CVE-2021-1429 - Cisco - Creation of Temporary File with Insecure Permissions2021-05-05T00:00:00+00:00https://hackandpwn.com/cve-2021-1429<p>A vulnerability in the install process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform an executable hijacking attack on an affected device.</p>
<p>This vulnerability exists because a temporary file with insecure permissions is created during the upgrade process. An attacker could exploit this vulnerability by overwriting the temporary file before it is accessed for execution. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.</p>
<p>Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p>
<p><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-code-exec-jR3tWTA6">Cisco Release Notes</a></p>
CVE-2021-1428 - Cisco - Creation of Temporary File with Insecure Permissions2021-05-05T00:00:00+00:00https://hackandpwn.com/cve-2021-1428<p>A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.</p>
<p>This vulnerability exists because the application loads a DLL file from a user-writable directory. An attacker could exploit this vulnerability by copying a malicious DLL file to a specific directory. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.</p>
<p>Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p>
<p><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-code-exec-jR3tWTA6">Cisco Release Notes</a></p>
CVE-2021-1427 - Cisco - Creation of Temporary File with Insecure Permissions2021-05-05T00:00:00+00:00https://hackandpwn.com/cve-2021-1427<p>A vulnerability in the upgrade process of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack on an affected device.</p>
<p>This vulnerability exists because the application loads a DLL file from a user-writable directory. An attacker could exploit this vulnerability by copying a malicious DLL file to a specific directory. A successful exploit could allow the attacker to execute arbitrary code on the affected device with SYSTEM privileges. To exploit this vulnerability, the attacker must have valid credentials on the Windows system.</p>
<p>Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.</p>
<p><a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-anyconnect-code-exec-jR3tWTA6">Cisco Release Notes</a></p>
CVE-2021-27064 - Microsoft - Privilege Escalation2021-04-13T00:00:00+00:00https://hackandpwn.com/cve-2021-27064<p>A remote code execution vulnerability exists when the Visual Studio installer executes the feedback client in an elevated state.</p>
<p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27064">Microsoft Security Update Guide</a></p>
CVE-2021-23879 - McAfee - Unquoted Search Path or Element2021-03-09T00:00:00+00:00https://hackandpwn.com/cve-2021-23879<p>Unquoted service path vulnerability in McAfee Endpoint Product Removal (EPR) Tool prior to 21.2 allows local administrators to execute arbitrary code, with higher-level privileges, via execution from a compromised folder. The tool did not enforce and protect the execution path.</p>
<p>Local admin privileges are required to place the files in the required location.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10351&showDraft=true">Trellix Security Bulletin SB10351</a></p>
CVE-2021-23878 - McAfee - Cleartext Storage of Sensitive Information2021-02-09T00:00:00+00:00https://hackandpwn.com/cve-2021-23878<p>Clear text storage of sensitive Information in memory vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update allows a local user to view ENS settings and credentials via accessing process memory after the ENS administrator has performed specific actions.</p>
<p>To exploit this, the local user has to access the relevant memory location immediately after an ENS administrator has made a configuration change through the console on their machine.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10345&showDraft=true">Trellix Security Bulletin SB10345</a></p>
CVE-2021-1694 - Microsoft - Improper Privilege Management2021-01-12T00:00:00+00:00https://hackandpwn.com/cve-2021-1694<p>Windows Update Stack Elevation of Privilege Vulnerability</p>
<p>To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine.</p>
<p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1694">Microsoft Security Advisory</a></p>
CVE-2020-26118 - SmartBear - Deserialization of Untrusted Data2021-01-05T00:00:00+00:00https://hackandpwn.com/cve-2020-26118<p>In SmartBear Collaborator Server through 13.3.13302, use of the Google Web Toolkit (GWT) API introduces a post-authentication Java deserialization vulnerability. The application’s UpdateMemento class accepts a serialized Java object directly from the user without properly sanitizing it. A malicious object can be submitted to the server via an authenticated attacker to execute commands on the underlying system.</p>
<p><a href="https://support.smartbear.com/collaborator/docs/general-info/version-history/ver-13/ver-13-0.html#v13400">SmartBear Collaborator Release Notes</a></p>
CVE-2020-27645 - 1E - Unquoted Search Path or Element2020-12-29T00:00:00+00:00https://hackandpwn.com/cve-2020-27645<p>The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote
authenticated users and local users to gain elevated privileges.</p>
<p><a href="https://www.1e.com/trust-security-compliance/cve-info/">1E Security Advisory</a></p>
CVE-2020-27644 - 1E - Unquoted Search Path or Element2020-12-29T00:00:00+00:00https://hackandpwn.com/cve-2020-27644<p>The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote
authenticated users and local users to gain elevated privileges by placing a malicious file called cryptbase.dll to the C:\Windows\Temp.</p>
<p><a href="https://www.1e.com/trust-security-compliance/cve-info/">1E Security Advisory</a></p>
CVE-2020-27643 - 1E - Improper Link Resolution Before File Access2020-12-29T00:00:00+00:00https://hackandpwn.com/cve-2020-27643<p>The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory.</p>
<p>This leads to partial privilege escalation. This vulnerability can be mitigated by changing the permission of the ProgramData\1E\Client directory so that a standard user does not have the ability to create and modify files.</p>
<p><a href="https://www.1e.com/trust-security-compliance/cve-info/">1E Security Advisory</a></p>
CVE-2020-16268 - 1E - Improper Neutralization of Special Elements2020-12-29T00:00:00+00:00https://hackandpwn.com/cve-2020-16268<p>The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user.</p>
<p><a href="https://www.1e.com/trust-security-compliance/cve-info/">1E Security Advisory</a></p>
CVE-2020-17099 - Microsoft - Lock Screen Bypass2020-12-08T00:00:00+00:00https://hackandpwn.com/cve-2020-17099<p>Windows Lock Screen Security Feature Bypass Vulnerability</p>
<p>An authenticated user would need to lock their active session. An attacker with physical access could then perform actions that would allow them to execute code from the Windows lock screen in the context of the active user session.</p>
<p><a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17099">Microsoft Security Advisory</a></p>
CVE-2020-7331 - McAfee - Unquoted Search Path or Element2020-11-10T00:00:00+00:00https://hackandpwn.com/cve-2020-7331<p>Unquoted service executable path in McAfee Endpoint Security (ENS) prior to 10.7.0 November 2020 Update allows local users to cause a denial of service and malicious file execution via carefully crafted and named executable files.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10335&showDraft=true">Trellix Security Bulletin SB10335</a></p>
CVE-2020-7316 - McAfee - Unquoted Search Path or Element2020-10-06T00:00:00+00:00https://hackandpwn.com/cve-2020-7316<p>Unquoted service path vulnerability in McAfee File and Removable Media Protection (FRP) prior to 5.3.0 allows local users to execute arbitrary code, with higher privileges, via execution and from a compromised folder. This issue may result in files not being encrypted when a policy is triggered.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10330&showDraft=true">Trellix Security Bulletin SB10330</a></p>
Windows 7 ESU Analysis Updates Changelog2020-09-12T00:00:00+00:00https://hackandpwn.com/windows-7-esu-analysis-updates-changelog<h3 id="update-2024-02-16">Update 2024-02-16</h3>
<ul>
<li>Replaced January 2024 Servicing Stack Update (KB5032383) with February 2024 Servicing Stack Update (KB5034865).</li>
<li>Replaced January 2024 Monthly Update (KB5034169) with February 2024 Monthly Update (KB5034831).</li>
<li>Replaced January 2024 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26910) with February 2024 (6.1.7602.26961).</li>
<li>Added commands for importing the Manifest file.</li>
</ul>
<h3 id="update-2024-01-21">Update 2024-01-21</h3>
<ul>
<li>Replaced December 2023 Monthly Update (KB5033433) with January 2024 Monthly Update (KB5034169).</li>
<li>Replaced December 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26864) with January 2024 (6.1.7602.26910).</li>
</ul>
<h3 id="update-2023-12-22">Update 2023-12-22</h3>
<ul>
<li>Replaced November 2023 Monthly Update (KB5032252) with December 2023 Monthly Update (KB5033433).</li>
<li>Replaced November 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26816) with December 2023 (6.1.7602.26864).</li>
</ul>
<h3 id="update-2023-11-20">Update 2023-11-20</h3>
<ul>
<li>Replaced October 2023 Servicing Stack Update (KB5031658) with November 2023 Servicing Stack Update (KB5032383).</li>
<li>Replaced October 2023 Monthly Update (KB5031408) with November 2023 Monthly Update (KB5032252).</li>
<li>Replaced October 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26769) with November 2023 (6.1.7602.26816).</li>
</ul>
<h3 id="update-2023-10-12">Update 2023-10-12</h3>
<ul>
<li>Replaced July 2023 Servicing Stack Update (KB5028264) with October 2023 Servicing Stack Update (KB5031658).</li>
<li>Replaced September 2023 Monthly Update (KB5030265) with October 2023 Monthly Update (KB5031408).</li>
<li>Replaced September 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26713) with October 2023 (6.1.7602.26769).</li>
</ul>
<h3 id="update-2023-09-19">Update 2023-09-19</h3>
<ul>
<li>Replaced August 2023 Monthly Update (KB5029296) with September 2023 Monthly Update (KB5030265).</li>
<li>Replaced August 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26664) with September 2023 (6.1.7602.26713).</li>
</ul>
<h3 id="update-2023-08-21">Update 2023-08-21</h3>
<ul>
<li>Replaced July 2023 Monthly Update (KB5028240) with August 2023 Monthly Update (KB5029296).</li>
<li>Replaced July 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26623) with August 2023 (6.1.7602.26664).</li>
</ul>
<h3 id="update-2023-07-22">Update 2023-07-22</h3>
<ul>
<li>Replaced September 2022 Servicing Stack Update (KB5017397) with July 2023 Servicing Stack Update (KB5028264).</li>
<li>Replaced June 2023 Monthly Update (KB5027275) with July 2023 Monthly Update (KB5028240).</li>
<li>Replaced June 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26564) with July 2023 (6.1.7602.26623).</li>
</ul>
<h3 id="update-2023-06-25">Update 2023-06-25</h3>
<ul>
<li>Replaced May 2023 Monthly Update (KB5026413) with June 2023 Monthly Update (KB5027275).</li>
<li>Replaced May 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26519) with June 2023 (6.1.7602.26564).</li>
</ul>
<h3 id="update-2023-05-12">Update 2023-05-12</h3>
<ul>
<li>Replaced April 2023 Monthly Update (KB5025279) with May 2023 Monthly Update (KB5026413).</li>
<li>Replaced April 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26466) with May 2023 (6.1.7602.26519).</li>
</ul>
<h3 id="update-2023-04-12">Update 2023-04-12</h3>
<ul>
<li>Replaced March 2023 Monthly Update (KB5023769) with April 2023 Monthly Update (KB5025279).</li>
<li>Replaced March 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26415) with April 2023 (6.1.7602.26466).</li>
</ul>
<h3 id="update-2023-03-21">Update 2023-03-21</h3>
<ul>
<li>Replaced February 2023 Monthly Update (KB5022872) with March 2023 Monthly Update (KB5023769).</li>
<li>Replaced February 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26366) with March 2023 (6.1.7602.26415).</li>
<li>Updated the reboot note to say it may be required. Best to attempt the update first and reboot if it fails.</li>
</ul>
<h3 id="update-2023-02-25">Update 2023-02-25</h3>
<ul>
<li>Replaced January 2023 Monthly Update (KB5022338) with February 2023 Monthly Update (KB5022872).</li>
<li>Replaced January 2023 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26321) with February 2023 (6.1.7602.26366).</li>
</ul>
<h3 id="update-2023-01-12">Update 2023-01-12</h3>
<ul>
<li>Replaced December 2022 Monthly Update (KB5021291) with January 2023 Monthly Update (KB5022338).</li>
<li>Replaced December 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26266) with January 2023 (6.1.7602.26321).</li>
</ul>
<h3 id="update-2023-01-02">Update 2023-01-02</h3>
<ul>
<li>Replaced November 2022 Monthly Update (KB5020000) with December 2022 Monthly Update (KB5021291).</li>
<li>Replaced November 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26221) with December 2022 (6.1.7602.26266).</li>
</ul>
<h3 id="update-2022-11-27">Update 2022-11-27</h3>
<ul>
<li>Replaced October 2022 Monthly Update (KB5018454) with November 2022 Monthly Update (KB5020000).</li>
<li>Replaced October 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26174) with November 2022 (6.1.7602.26221).</li>
</ul>
<h3 id="update-2022-10-26">Update 2022-10-26</h3>
<ul>
<li>Replaced September 2022 Monthly Update (KB5017361) with October 2022 Monthly Update (KB5018454).</li>
<li>Replaced September 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26115) with October 2022 (6.1.7602.26174).</li>
</ul>
<h3 id="update-2022-09-26">Update 2022-09-26</h3>
<ul>
<li>Replaced July 2022 Servicing Stack Update (KB5016057) with September 2022 Servicing Stack Update (KB5017397).</li>
<li>Replaced August 2022 Monthly Update (KB5016676) with September 2022 Monthly Update (KB5017361).</li>
<li>Replaced August 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26065) with September 2022 (6.1.7602.26115).</li>
</ul>
<h3 id="update-2022-08-22">Update 2022-08-22</h3>
<ul>
<li>Replaced July 2022 Monthly Update (KB5015861) with August 2022 Monthly Update (KB5016676).</li>
<li>Replaced July 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.26022) with August 2022 (6.1.7602.26065).</li>
</ul>
<h3 id="update-2022-07-18">Update 2022-07-18</h3>
<ul>
<li>Replaced March 2022 Servicing Stack Update (KB5011649) with July 2022 Servicing Stack Update (KB5016057).</li>
<li>Replaced June 2022 Monthly Update (KB5014748) with July 2022 Monthly Update (KB5015861).</li>
<li>Replaced June 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25984) with July 2022 (6.1.7602.26022).</li>
</ul>
<h3 id="update-2022-06-19">Update 2022-06-19</h3>
<ul>
<li>Replaced May 2022 Monthly Update (KB5014012) with June 2022 Monthly Update (KB5014748).</li>
<li>Replaced May 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25954) with June 2022 (6.1.7602.25984).</li>
</ul>
<h3 id="update-2022-05-23">Update 2022-05-23</h3>
<ul>
<li>Replaced April 2022 Monthly Update (KB5012626) with May 2022 Monthly Update (KB5014012).</li>
<li>Replaced April 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25924) with May 2022 (6.1.7602.25954).</li>
</ul>
<h3 id="update-2022-04-20">Update 2022-04-20</h3>
<ul>
<li>Replaced March 2022 Monthly Update (KB5011552) with April 2022 Monthly Update (KB5012626).</li>
<li>Replaced March 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25898) with April 2022 (6.1.7602.25924).</li>
</ul>
<h3 id="update-2022-03-23">Update 2022-03-23</h3>
<ul>
<li>Replaced February 2022 Servicing Stack Update (KB5010451) with March 2022 Servicing Stack Update (KB5011649).</li>
<li>Replaced February 2022 Monthly Update (KB5010404) with March 2022 Monthly Update (KB5011552).</li>
<li>Replaced February 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25860) with March 2022 (6.1.7602.25898).</li>
</ul>
<h3 id="update-2022-02-20">Update 2022-02-20</h3>
<ul>
<li>Replaced October 2021 Servicing Stack Update (KB5006749) with February 2022 Servicing Stack Update (KB5010451).</li>
<li>Replaced January 2022 Monthly Update (KB5009610) with February 2022 Monthly Update (KB5010404).</li>
<li>Replaced January 2022 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25829) with February 2022 (6.1.7602.25860).</li>
</ul>
<h3 id="update-2022-01-16">Update 2022-01-16</h3>
<ul>
<li>Replaced December 2021 Monthly Update (KB5008244) with January 2022 Monthly Update (KB5009610).</li>
<li>Replaced December 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25796) with January 2022 (6.1.7602.25829).</li>
</ul>
<h3 id="update-2021-12-24">Update 2021-12-24</h3>
<ul>
<li>Replaced November 2021 Monthly Update (KB5007236) with December 2021 Monthly Update (KB5008244).</li>
<li>Replaced November 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25769) with December 2021 (6.1.7602.25796).</li>
</ul>
<h3 id="update-2021-11-18">Update 2021-11-18</h3>
<ul>
<li>Replaced October 2021 Monthly Update (KB5006743) with November 2021 Monthly Update (KB5007236).</li>
<li>Replaced October 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25740) with November 2021 (6.1.7602.25769).</li>
</ul>
<h3 id="update-2021-10-21">Update 2021-10-21</h3>
<ul>
<li>Replaced July 2021 Servicing Stack Update (KB5004378) with October 2021 Servicing Stack Update (KB5006749).</li>
<li>Replaced September 2021 Monthly Update (KB5005633) with October 2021 Monthly Update (KB5006743).</li>
<li>Replaced September 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25712) with October 2021 (6.1.7602.25740).</li>
</ul>
<h3 id="update-2021-09-25">Update 2021-09-25</h3>
<ul>
<li>Replaced August 2021 Monthly Update (KB5005088) with September 2021 Monthly Update (KB5005633).</li>
<li>Replaced August 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25685) with September 2021 (6.1.7602.25712).</li>
<li>Updated GitHub links.</li>
</ul>
<h3 id="update-2021-08-10">Update 2021-08-10</h3>
<ul>
<li>Added 32-Bit links.</li>
<li>Replaced July 2021 Monthly Update (KB5004289) with August 2021 Monthly Update (KB5005088).</li>
<li>Replaced July 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25661) with August 2021 (6.1.7602.25685).</li>
</ul>
<h3 id="update-2021-07-14">Update 2021-07-14</h3>
<ul>
<li>Replaced December 2020 Servicing Stack Update (KB4592510) with July 2021 Servicing Stack Update (KB5004378).</li>
<li>Replaced June 2021 Monthly Update (KB5003667) with July 2021 Monthly Update (KB5004289).</li>
<li>Replaced June 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.25632) with July 2021 (6.1.7602.25661).</li>
</ul>
<h3 id="update-2021-06-13">Update 2021-06-13</h3>
<ul>
<li>Replaced May 2021 Monthly Update (KB5003233) with June 2021 Monthly Update (KB5003667).</li>
<li>Replaced May 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.24600) with June 2021 (6.1.7602.25632).</li>
</ul>
<h3 id="update-2021-05-13">Update 2021-05-13</h3>
<ul>
<li>Replaced April 2021 Monthly Update (KB5001335) with May 2021 Monthly Update (KB5003233).</li>
<li>Replaced April 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.24576) with May 2021 (6.1.7602.24600).</li>
</ul>
<h3 id="update-2021-04-15">Update 2021-04-15</h3>
<ul>
<li>Replaced March 2021 Monthly Update (KB5000841) with April 2021 Monthly Update (KB5001335).</li>
<li>Replaced March 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.24566) with April 2021 (6.1.7602.24576).</li>
</ul>
<h3 id="update-2021-04-03">Update 2021-04-03</h3>
<ul>
<li>Replaced February 2021 Monthly Update (KB4601347) with March 2021 Monthly Update (KB5000841).</li>
<li>Replaced February 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.24565) with March 2021 (6.1.7602.24566).</li>
</ul>
<h3 id="update-2021-02-17">Update 2021-02-17</h3>
<ul>
<li>Replaced January 2021 Monthly Update (KB4598279) with February 2021 Monthly Update (KB4601347).</li>
<li>Replaced January 2021 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.24564) with February 2021 (6.1.7602.24565).</li>
</ul>
<h3 id="update-2021-01-17">Update 2021-01-17</h3>
<ul>
<li>Replaced December 2020 Monthly Update (KB4592471) with January 2021 Monthly Update (KB4598279).</li>
<li>Replaced December 2020 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.24563) with January 2021 (6.1.7602.24564).</li>
</ul>
<h3 id="update-2020-12-15">Update 2020-12-15</h3>
<ul>
<li>Replaced October 2020 Servicing Stack Update (KB4580970) with December 2020 Servicing Stack Update (KB4592510).</li>
<li>Replaced November 2020 Monthly Update (KB4586827) with December 2020 Monthly Update (KB4592471).</li>
<li>Replaced November 2020 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.24562) with December 2020 (6.1.7602.24563).</li>
<li>Added a note that a reboot is required after installing the SSU.</li>
</ul>
<h3 id="update-2020-11-22">Update 2020-11-22</h3>
<ul>
<li>Replaced October 2020 Monthly Update (KB4580345) with November 2020 Monthly Update (KB4586827).</li>
<li>Replaced October 2020 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.24561) with November 2020 (6.1.7602.24562).</li>
</ul>
<h3 id="update-2020-10-17">Update 2020-10-17</h3>
<ul>
<li>Replaced September 2020 Servicing Stack Update (KB4570673) with October 2020 Servicing Stack Update (KB4580970).</li>
<li>Replaced September 2020 Monthly Update (KB4577051) with October 2020 Monthly Update (KB4580345).</li>
<li>Replaced September 2020 Manifest, Components Registry Key, and SideBySide Registry Key (6.1.7602.24560) with October 2020 (6.1.7602.24561).</li>
</ul>
CVE-2020-7323 - McAfee - Improper Authentication2020-09-08T00:00:00+00:00https://hackandpwn.com/cve-2020-7323<p>Authentication Protection Bypass vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2020 Update allows physical local users to bypass the Windows lock screen via triggering certain detection events while the computer screen is locked and the McTray.exe is running with elevated privileges.</p>
<p>This issue is timing dependent and requires physical access to the machine.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10327&showDraft=true">Trellix Security Bulletin SB10327</a></p>
CVE-2020-7314 - McAfee - Incorrect Permission Assignment for Critical Resource2020-09-08T00:00:00+00:00https://hackandpwn.com/cve-2020-7314<p>On macOS platforms, the McAfee Data Exchange Layer Client installer writes out temporary files with incorrect permission that can allow a low privileged user to run commands as root user. The fix for this issue is included in the MA 5.6.6 Update release.</p>
<p>Privilege Escalation Vulnerability in the installer in McAfee Data Exchange Layer (DXL) Client for Mac shipped with McAfee Agent (MA) for Mac prior to MA 5.6.6 allows local users to run commands as root via incorrectly applied permissions on temporary files.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10325&showDraft=true">Trellix Security Bulletin SB10325</a></p>
CVE-2020-9415 - TIBCO - Arbitrary File Download2020-08-18T00:00:00+00:00https://hackandpwn.com/cve-2020-9415<p>TIBCO Data Virtualization Server contains a vulnerability that theoretically allows a malicious authenticated user to download any arbitrary file from the affected system. The user must be authenticated and have privileges required to monitor the server in an operational capacity.</p>
<p>[TIBCO Security Advisory]https://www.tibco.com/support/advisories/2020/08/tibco-security-advisory-august-18-2020-tibco-data-virtualization)</p>
CVE-2020-7307 - McAfee - Insufficiently Protected Credentials2020-08-11T00:00:00+00:00https://hackandpwn.com/cve-2020-7307<p>Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.</p>
<p>[Trellix Security Bulletin SB10326]https://kcm.trellix.com/corporate/index?page=content&id=SB10326&showDraft=true)</p>
CVE-2020-7306 - McAfee - Insufficiently Protected Credentials2020-08-11T00:00:00+00:00https://hackandpwn.com/cve-2020-7306<p>Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the ADRMS username and password via unprotected log files containing plain text credentials.</p>
<p>[Trellix Security Bulletin SB10326]https://kcm.trellix.com/corporate/index?page=content&id=SB10326&showDraft=true)</p>
CVE-2019-3588 - McAfee - Improper Privilege Management2020-06-09T00:00:00+00:00https://hackandpwn.com/cve-2019-3588<p>Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow unauthorized users to interact with the On-Access Scan Messages - Threat Alert Window when the Windows Login Screen is locked.</p>
<p>When a threat is detected and the Alert Notifications are turned on (On-Access Scan Messages), the ‘Alert Message’ window would open with Admin privileges, allowing a standard user to interact with the available menus with elevated privileges. In certain conditions, this issue may also cause the On-Access Scan Messages window to pop-up on top of the Windows Lock Screen.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10302&showDraft=true">Trellix Security Bulletin SB10302</a></p>
CVE-2019-3585 - McAfee - Improper Privilege Management2020-06-09T00:00:00+00:00https://hackandpwn.com/cve-2019-3585<p>Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 prior to Patch 14 may allow local users to interact with the On-Access Scan Messages - Threat Alert Window with elevated privileges via running McAfee Tray with elevated privileges.</p>
<p>When the process McTray.exe runs with elevated privileges, VSE might spawn a process inheriting the parent’s privileges. This issue exposes the system to be manipulated by an attacker.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10302&showDraft=true">Trellix Security Bulletin SB10302</a></p>
Windows 7 ESU Patching Changelog2020-05-23T00:00:00+00:00https://hackandpwn.com/windows-7-esu-patching-changelog<h3 id="update-2024-02-16">Update 2024-02-16</h3>
<ul>
<li>Replaced January 2024 Servicing Stack Update (KB5032383) with February 2024 Servicing Stack Update (KB5034865).</li>
<li>Replaced January 2024 Monthly Update (KB5034169) with February 2024 Monthly Update (KB5034831).</li>
<li>Replaced January 2024 .NET Framework 4.8 Update (KB5033916) with February 2024 .NET Framework 4.8 Update (KB5034615).</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2024-01-24">Update 2024-01-24</h3>
<ul>
<li>Added missing link for Part 5 of January 2024 Monthly Update (Thanks <a href="https://github.com/Robbbert">Robbbert</a>!)</li>
</ul>
<h3 id="update-2024-01-21">Update 2024-01-21</h3>
<ul>
<li>Replaced December 2023 Monthly Update (KB5033433) with January 2024 Monthly Update (KB5034169).</li>
<li>Replaced November 2023 .NET Framework 3.5.1 Update (KB5032000) with January 2024 .NET Framework 3.5.1 Update (KB5033899).</li>
<li>Replaced November 2023 .NET Framework 4.8 Update (KB5031995) with January 2024 .NET Framework 4.8 Update (KB5033916).</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2023-12-22">Update 2023-12-22</h3>
<ul>
<li>Replaced November 2023 Monthly Update (KB5032252) with December 2023 Monthly Update (KB5033433).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2023-11-20">Update 2023-11-20</h3>
<ul>
<li>Replaced October 2023 Servicing Stack Update (KB5031658) with November 2023 Servicing Stack Update (KB5032383).</li>
<li>Replaced October 2023 Monthly Update (KB5031408) with November 2023 Monthly Update (KB5032252).</li>
<li>Replaced September 2023 .NET Framework 3.5.1 Update (KB5029938) with November 2023 .NET Framework 3.5.1 Update (KB5032000).</li>
<li>Replaced October 2023 .NET Framework 4.8 Update (KB5031001) with November 2023 .NET Framework 4.8 Update (KB5031995).</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2023-10-12">Update 2023-10-12</h3>
<ul>
<li>Replaced July 2023 Servicing Stack Update (KB5028264) with October 2023 Servicing Stack Update (KB5031658).</li>
<li>Replaced September 2023 Monthly Update (KB5030265) with October 2023 Monthly Update (KB5031408).</li>
<li>Replaced September 2023 .NET Framework 4.8 Update (KB5029929) with October 2023 .NET Framework 4.8 Update (KB5031001).</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2023-09-19">Update 2023-09-19</h3>
<ul>
<li>Replaced August 2023 Monthly Update (KB5029296) with September 2023 Monthly Update (KB5030265).</li>
<li>Replaced August 2023 .NET Framework 3.5.1 Update (KB5028969) with September 2023 .NET Framework 3.5.1 Update (KB5029938).</li>
<li>Replaced August 2023 .NET Framework 4.8 Update (KB5028958) with September 2023 .NET Framework 4.8 Update (KB5029929).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2023-08-21">Update 2023-08-21</h3>
<ul>
<li>Replaced July 2023 Monthly Update (KB5028240) with August 2023 Monthly Update (KB5029296).</li>
<li>Replaced July 2023 .NET Framework 3.5.1 Update (KB5028871) with August 2023 .NET Framework 3.5.1 Update (KB5028969).</li>
<li>Replaced July 2023 .NET Framework 4.8 Update (KB5028860) with August 2023 .NET Framework 4.8 Update (KB5028958).</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2023-07-22">Update 2023-07-22</h3>
<ul>
<li>Replaced September 2022 Servicing Stack Update (KB5017397) with July 2023 Servicing Stack Update (KB5028264).</li>
<li>Replaced June 2023 Monthly Update (KB5027275) with July 2023 Monthly Update (KB5028240).</li>
<li>Replaced June 2023 .NET Framework 3.5.1 Update (KB5027140) with July 2023 .NET Framework 3.5.1 Update (KB5028871).</li>
<li>Replaced June 2023 .NET Framework 4.8 Update (KB5027129) with July 2023 .NET Framework 4.8 Update (KB5028860).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2023-06-25">Update 2023-06-25</h3>
<ul>
<li>Replaced May 2023 Monthly Update (KB5026413) with June 2023 Monthly Update (KB5027275).</li>
<li>Replaced February 2023 .NET Framework 3.5.1 Update (KB5022523) with June 2023 .NET Framework 3.5.1 Update (KB5027140).</li>
<li>Replaced February 2023 .NET Framework 4.8 Update (KB5022509) with June 2023 .NET Framework 4.8 Update (KB5027129).</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2023-05-12">Update 2023-05-12</h3>
<ul>
<li>Replaced April 2023 Monthly Update (KB5025279) with May 2023 Monthly Update (KB5026413).</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2023-04-12">Update 2023-04-12</h3>
<ul>
<li>Replaced March 2023 Monthly Update (KB5023769) with April 2023 Monthly Update (KB5025279).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2023-03-21">Update 2023-03-21</h3>
<ul>
<li>Replaced February 2023 Monthly Update (KB5022872) with March 2023 Monthly Update (KB5023769).</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2023-02-25">Update 2023-02-25</h3>
<ul>
<li>Replaced January 2023 Monthly Update (KB5022338) with February 2023 Monthly Update (KB5022872).</li>
<li>Replaced December 2022 .NET Framework 3.5.1 Update (KB5020861) with February 2023 .NET Framework 3.5.1 Update (KB5022523).</li>
<li>Replaced December 2022 .NET Framework 4.8 Update (KB5020879) with February 2023 .NET Framework 4.8 Update (KB5022509).</li>
<li>Added Supplemental February 2022 .NET Framework 4.8 Update (KB5023823).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2023-01-12">Update 2023-01-12</h3>
<ul>
<li>Replaced December 2022 Monthly Update (KB5021291) with January 2023 Monthly Update (KB5022338).</li>
</ul>
<h3 id="update-2023-01-02">Update 2023-01-02</h3>
<ul>
<li>Replaced November 2022 Monthly Update (KB5020000) with December 2022 Monthly Update (KB5021291).</li>
<li>Replaced May 2022 .NET Framework 3.5.1 Update (KB5013637) with December 2022 .NET Framework 3.5.1 Update (KB5020861).</li>
<li>Replaced November 2022 .NET Framework 4.8 Update (KB5020621) with December 2022 .NET Framework 4.8 Update (KB5020879).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2022-11-27">Update 2022-11-27</h3>
<ul>
<li>Replaced October 2022 Monthly Update (KB5018454) with November 2022 Monthly Update (KB5020000).</li>
<li>Replaced October 2022 .NET Framework 4.8 Update (KB5018516) with November 2022 .NET Framework 4.8 Update (KB5020621).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2022-10-26">Update 2022-10-26</h3>
<ul>
<li>Replaced September 2022 Monthly Update (KB5017361) with October 2022 Monthly Update (KB5018454).</li>
<li>Replaced September 2022 .NET Framework 4.8 Update (KB5017036) with October 2022 .NET Framework 4.8 Update (KB5018516).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2022-09-26">Update 2022-09-26</h3>
<ul>
<li>Replaced July 2022 Servicing Stack Update (KB5016057) with September 2022 Servicing Stack Update (KB5017397).</li>
<li>Replaced August 2022 Monthly Update (KB5016676) with September 2022 Monthly Update (KB5017361).</li>
<li>Replaced August 2022 .NET Framework 4.8 Update (KB5016367) with September 2022 .NET Framework 4.8 Update (KB5017036).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2022-08-22">Update 2022-08-22</h3>
<ul>
<li>Replaced July 2022 Monthly Update (KB5015861) with August 2022 Monthly Update (KB5016676).</li>
<li>Replaced June 2022 .NET Framework 4.8 Update (KB5014631) with August 2022 .NET Framework 4.8 Update (KB5016367).</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2022-07-18">Update 2022-07-18</h3>
<ul>
<li>Replaced March 2022 Servicing Stack Update (KB5011649) with July 2022 Servicing Stack Update (KB5016057).</li>
<li>Replaced June 2022 Monthly Update (KB5014748) with July 2022 Monthly Update (KB5015861).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2022-06-19">Update 2022-06-19</h3>
<ul>
<li>Replaced May 2022 Monthly Update (KB5014012) with June 2022 Monthly Update (KB5014748).</li>
<li>Replaced May 2022 .NET Framework 4.8 Update (KB5013632) with June 2022 .NET Framework 4.8 Update (KB5014631).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2022-05-23">Update 2022-05-23</h3>
<ul>
<li>Replaced April 2022 Monthly Update (KB5012626) with May 2022 Monthly Update (KB5014012).</li>
<li>Replaced January 2022 .NET Framework 3.5.1 Update (KB5008867) with May 2022 .NET Framework 3.5.1 Update (KB5013637).</li>
<li>Replaced April 2022 .NET Framework 4.8 Update (KB5012125) with May 2022 .NET Framework 4.8 Update (KB5013632).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2022-04-20">Update 2022-04-20</h3>
<ul>
<li>Replaced March 2022 Monthly Update (KB5011552) with April 2022 Monthly Update (KB5012626).</li>
<li>Replaced February 2022 .NET Framework 4.8 Update (KB5010457) with April 2022 .NET Framework 4.8 Update (KB5012125).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2022-03-23">Update 2022-03-23</h3>
<ul>
<li>Replaced February 2022 Servicing Stack Update (KB5010451) with March 2022 Servicing Stack Update (KB5011649).</li>
<li>Replaced February 2022 Monthly Update (KB5010404) with March 2022 Monthly Update (KB5011552).</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
</ul>
<h3 id="update-2022-02-20">Update 2022-02-20</h3>
<ul>
<li>Replaced October 2021 Servicing Stack Update (KB5006749) with February 2022 Servicing Stack Update (KB5010451).</li>
<li>Replaced January 2022 Monthly Update (KB5009610) with February 2022 Monthly Update (KB5010404).</li>
<li>Replaced January 2022 .NET Framework 4.8 Update (KB5008858) with February 2022 .NET Framework 4.8 Update (KB5010457).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2022-01-16">Update 2022-01-16</h3>
<ul>
<li>Replaced December 2021 Monthly Update (KB5008244) with January 2022 Monthly Update (KB5009610).</li>
<li>Replaced October 2020 .NET Framework 3.5.1 Update (KB4578952) with January 2022 .NET Framework 3.5.1 Update (KB5008867).</li>
<li>Replaced November 2021 .NET Framework 4.8 Update (KB5007149) with January 2022 .NET Framework 4.8 Update (KB5008858).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2021-12-24">Update 2021-12-24</h3>
<ul>
<li>Replaced November 2021 Monthly Update (KB5007236) with December 2021 Monthly Update (KB5008244).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2021-11-18">Update 2021-11-18</h3>
<ul>
<li>Replaced October 2021 Monthly Update (KB5006743) with November 2021 Monthly Update (KB5007236).</li>
<li>Replaced October 2021 .NET Framework 4.8 Update (KB5006060) with November 2021 .NET Framework 4.8 Update (KB5007149).</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2021-10-22">Update 2021-10-22</h3>
<ul>
<li>Replaced July 2021 Servicing Stack Update (KB5004378) with October 2021 Servicing Stack Update (KB5006749).</li>
<li>Replaced September 2021 Monthly Update (KB5005633) with October 2021 Monthly Update (KB5006743).</li>
<li>Replaced August 2021 .NET Framework 4.8 Update (KB5004755) with October 2021 .NET Framework 4.8 Update (KB5006060).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2021-09-25">Update 2021-09-25</h3>
<ul>
<li>Updated GitHub links.</li>
<li>Added Windows XP Mode - (32-bit / 64-bit).</li>
<li>Added KB981390 - (64-bit).</li>
<li>Added KB981392 - (64-bit).</li>
<li>Added KB2386667 - (64-bit).</li>
<li>Added KB2790338 - (64-bit).</li>
<li>Added Optional Software Updates Section.</li>
<li>Added Attack Surface Analyzer (32-bit / 64-bit).</li>
<li>Added Enhanced Mitigation Experience Toolkit (32-bit / 64-bit).</li>
<li>Added Enterprise Mode Internet Explorer Site List Manager (32-bit / 64-bit).</li>
<li>Added Windows Journal (32-bit / 64-bit).</li>
<li>Added Microsoft Baseline Security Analyzer (32-bit / 64-bit).</li>
<li>Added Microsoft Camera Codec Pack (32-bit / 64-bit).</li>
<li>Added Utilities and SDK for Subsystem for UNIX-based Applications (32-bit / 64-bit).</li>
<li>Removed KB3161102 (Windows Journal Removal).</li>
<li>Removed KB4016754 (Media Transfer Protocol Driver Update).</li>
<li>Added KB4524752 - (32-bit / 64-bit).</li>
<li>Added KB4578847 - (32-bit / 64-bit).</li>
<li>Replaced August 2021 Monthly Update (KB5005088) with September 2021 Monthly Update (KB5005633).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2021-08-11">Update 2021-08-11</h3>
<ul>
<li>Added 32-bit Updates</li>
<li>Replaced July 2021 Monthly Update (KB5004289) with August 2021 Monthly Update (KB5005088).</li>
<li>Replaced July 2021 .NET Framework 4.8 Update (KB5004116) with August 2021 .NET Framework 4.8 Update (KB5004755).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2021-07-14">Update 2021-07-14</h3>
<ul>
<li>Replaced December 2020 Servicing Stack Update (KB4592510) with July 2021 Servicing Stack Update (KB5004378).</li>
<li>Replaced June 2021 Monthly Update (KB5003667) with July 2021 Monthly Update (KB5004289).</li>
<li>Replaced June 2021 .NET Framework 4.8 Update (KB5003543) with July 2021 .NET Framework 4.8 Update (KB5004116).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2021-06-13">Update 2021-06-13</h3>
<ul>
<li>Replaced May 2021 Monthly Update (KB5003233) with June 2021 Monthly Update (KB5003667).</li>
<li>Replaced May 2021 .NET Framework 4.8 Update (KB5001843) with June 2021 .NET Framework 4.8 Update (KB5003543).</li>
</ul>
<h3 id="update-2021-05-13">Update 2021-05-13</h3>
<ul>
<li>Replaced April 2021 Monthly Update (KB5001335) with May 2021 Monthly Update (KB5003233).</li>
<li>Replaced March 2021 .NET Framework 4.8 Update (KB4600944-v2) with May 2021 .NET Framework 4.8 Update (KB5001843).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2021-04-15">Update 2021-04-15</h3>
<ul>
<li>Replaced March 2021 Monthly Update (KB5000841) with April 2021 Monthly Update (KB5001335).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
<li>Excluded Graphical Update (KB4601275) - included in April 2021 Monthly Update (KB5001335).</li>
<li>Excluded DST Update (KB5001639) - included in April 2021 Monthly Update (KB5001335).</li>
</ul>
<h3 id="update-2021-04-04">Update 2021-04-04</h3>
<ul>
<li>Replaced February 2021 Monthly Update (KB4601347) with March 2021 Monthly Update (KB5000841).</li>
<li>Replaced February 2021 .NET Framework 4.8 Update (KB4600944) with March 2021 .NET Framework 4.8 Update (KB4600944-v2).</li>
</ul>
<h3 id="update-2021-02-17">Update 2021-02-17</h3>
<ul>
<li>Replaced January 2021 Monthly Update (KB4598279) with February 2021 Monthly Update (KB4601347).</li>
<li>Replaced January 2021 .NET Framework 4.8 Update (KB4597254) with February 2021 .NET Framework 4.8 Update (KB4600944).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2021-01-17">Update 2021-01-17</h3>
<ul>
<li>Replaced December 2020 Monthly Update (KB4592471) with January 2021 Monthly Update (KB4598279).</li>
<li>Replaced December 2020 .NET Framework 4.8 Update (KB4585205) with January 2021 .NET Framework 4.8 Update (KB4597254).</li>
</ul>
<h3 id="update-2020-12-15">Update 2020-12-15</h3>
<ul>
<li>Replaced October 2020 Servicing Stack Update (KB4580970) with December 2020 Servicing Stack Update (KB4592510).</li>
<li>Replaced November 2020 Monthly Update (KB4586827) with December 2020 Monthly Update (KB4592471).</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2020-11-22">Update 2020-11-22</h3>
<ul>
<li>Replaced October 2020 Monthly Update (KB4580345) with November 2020 Monthly Update (KB4586827).</li>
<li>Replaced October 2020 .NET Framework 4.8 Update (KB4578977) with November 2020 .NET Framework 4.8 Update (KB4585205).</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl</li>
</ul>
<h3 id="update-2020-10-22">Update 2020-10-22</h3>
<ul>
<li>Updated the description for KB970985 - Thanks <a href="https://twitter.com/FrankLesniak">FrankLesniak</a>!</li>
</ul>
<h3 id="update-2020-10-17">Update 2020-10-17</h3>
<ul>
<li>Replaced August 2020 Servicing Stack Update (KB4570673) with October 2020 Servicing Stack Update (KB4580970).</li>
<li>Replaced September 2020 Monthly Update (KB4577051) with October 2020 Monthly Update (KB4580345).</li>
<li>Replaced August 2020 .NET Framework 3.5.1 Update (KB4569767) with October 2020 .NET Framework 3.5.1 Update (KB4578952).</li>
<li>Replaced September 2020 .NET Framework 4.8 Update (KB4576487) with October 2020 .NET Framework 4.8 Update (KB4578977).</li>
<li>Changed the order of ESU updates (Monthly Update needs to be installed prior to installing .NET Framework 3.5.1 Update).</li>
</ul>
<h3 id="update-2020-09-14">Update 2020-09-14</h3>
<ul>
<li>Replaced August 2020 Monthly Update (KB4571729) with September 2020 Monthly Update (KB4577051).</li>
<li>Replaced August 2020 .NET Framework 4.8 Update (KB4569754) with September 2020 .NET Framework 4.8 Update (KB4576487).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
</ul>
<h3 id="update-2020-08-11">Update 2020-08-11</h3>
<ul>
<li>Replaced July 2020 Servicing Stack Update (KB4565354) with August 2020 Servicing Stack Update (KB4570673).</li>
<li>Replaced July 2020 .NET Framework 3.5.1 Update (KB4565612 v1 & v2) with August 2020 .NET Framework 3.5.1 Update (KB4569767).</li>
<li>Replaced July 2020 Monthly Update (KB4565524) with August 2020 Monthly Update (KB4571729).</li>
<li>Replaced July 2020 .NET Framework 4.8 Updates (KB4565636 v1 & v2) with August 2020 .NET Framework 4.8 Update (KB4569754).</li>
<li>Removed May 2020 ESU Preparation Package (KB4538483) and July 2020 ESU Preparation Package (KB4575903). This has been replaced with the August 2020 Monthly Update (KB4571729).</li>
</ul>
<h3 id="update-2020-07-15">Update 2020-07-15</h3>
<ul>
<li>Replaced June 2020 Servicing Stack Update (KB4562030) with July 2020 Servicing Stack Update (KB4565354).</li>
<li>Replaced May 2020 .NET Framework 3.5.1 Update (KB4552940) with July 2020 .NET Framework 3.5.1 Update (KB4565612).</li>
<li>Replaced June 2020 Monthly Update (KB4561643) with July 2020 Monthly Update (KB4565524).</li>
<li>Replaced May 2020 .NET Framework 4.8 Update (KB4552921) with July 2020 .NET Framework 4.8 Update (KB4565636).</li>
<li>Updated Microsoft ECC Product Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC TS Root Certificate Authority 2018.crl.</li>
<li>Updated Microsoft ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV ECC Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft RSA Root Certificate Authority 2017.crl.</li>
<li>Updated Microsoft EV RSA Root Certificate Authority 2017.crl.</li>
</ul>
<h3 id="update-2020-06-10">Update 2020-06-10</h3>
<ul>
<li>Replaced May 2020 Servicing Stack Update (KB4555449) with June 2020 Servicing Stack Update (KB4562030).</li>
<li>Replaced May 2020 Monthly Update (KB4556836) with June 2020 Monthly Update (KB4561643).</li>
<li>Updated MicRooCerAut_2010-06-23.crl.</li>
<li>Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.</li>
<li>Sorted Certificates By Date.</li>
</ul>
<h3 id="update-2020-05-26">Update 2020-05-26</h3>
<ul>
<li>Added information about unnecessary updates showing up in Windows Update (KB2853587, KB3081954, KB3184471, KB4539601) and which updates replace them.</li>
<li>Removed link to IE 11 Cumulative Update.</li>
</ul>
<h3 id="update-2020-05-25">Update 2020-05-25</h3>
<ul>
<li>Internet Explorer 11 Cumulative Update (KB4556798) is included with the generic Windows 7 Monthly Update. Therefore, this update is no longer required.</li>
</ul>
CVE-2020-11443 - Zoom - Incorrect Permission Assignment for Critical Resource2020-05-02T00:00:00+00:00https://hackandpwn.com/cve-2020-11443<p>The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files otherwise not deletable by the user.</p>
<p><a href="https://explore.zoom.us/en/trust/security/security-bulletin/">Zoom Security Advisory ZSB-20001</a></p>
CVE-2020-7274 - McAfee - Improper Privilege Management2020-04-14T00:00:00+00:00https://hackandpwn.com/cve-2020-7274<p>Privilege escalation vulnerability in McTray.exe in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 April 2020 Update allows local users to spawn unrelated processes with elevated privileges via the system administrator granting McTray.exe elevated privileges.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10309&showDraft=true">Trellix Security Bulletin SB10309</a></p>
CVE-2020-7255 - McAfee - Improper Privilege Management2020-04-14T00:00:00+00:00https://hackandpwn.com/cve-2020-7255<p>Privilege escalation vulnerability in the administrative user interface in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2020 Update allows local users to gain elevated privileges via a configuration error.</p>
<p>This vulnerability allows local users to gain elevated privileges via ENS not checking user permissions when editing configuration in the ENS client interface.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10309&showDraft=true">Trellix Security Bulletin SB10309</a></p>
CVE-2019-3637 - McAfee - Privilege Escalation2019-08-13T00:00:00+00:00https://hackandpwn.com/cve-2019-3637<p>Privilege Escalation vulnerability in McAfee FRP 5.x earlier than 5.1.0.209 allows local users to gain elevated privileges via running McAfee Tray with elevated privileges.</p>
<p>When FRP is installed, it includes a plug-in to facilitate user interaction with the McAfee Agent Tray. To exploit this vulnerability, an attacker would need to run McAfee Agent Tray with administrator rights on the target machine. From the elevated McAfee Tray, the attacker can start the FRP console with the same administrator rights and then use the console to start other processes with the same rights. The FRP console has been updated to prevent elevated privileges from being inherited from McAfee Tray.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10291&showDraft=true">Trellix Security Bulletin SB10291</a></p>
CVE-2019-3621 - McAfee - Lock Screen Bypass2019-07-23T00:00:00+00:00https://hackandpwn.com/cve-2019-3621<p>Authentication protection bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLP Endpoint) for Windows 11.x prior to 11.3.0 allows a physical local user to bypass the Windows lock screen via DLP Endpoint processes being killed just prior to the screen being locked or when the screen is locked.</p>
<p>The attacker requires physical access to the machine.</p>
<p>The fix for CVE-2019-3621 addresses an issue where it was possible to bypass the Windows lock screen. With certain DLP Endpoint configuration options, and when one or more DLP Endpoint processes are killed immediately before the screen is locked or while the screen is locked, an attacker with physical access to the machine can bypass the lock screen by inserting a USB drive into the machine. This would result in a notification window being displayed above the lock screen, through which the attacker could gain access to the user’s session.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10290&showDraft=true">Trellix Security Bulletin SB10290</a></p>
CVE-2018-10959 - BeyondTrust - Untrusted Search Path2019-04-17T00:00:00+00:00https://hackandpwn.com/cve-2018-10959<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10959">Mitre</a> and <a href="https://nvd.nist.gov/vuln/detail/CVE-2018-10959">NVD</a> have recently made this 7.5 high severity CVE public, describing the vulnerability as an Untrusted Search Path vulnerability, exploitable by modifying environment variables to trigger automatic elevation of an attacker’s process launch.</p>
<p>The exact words within the CVE are:</p>
<blockquote>
<p>Avecto Defendpoint 4 prior to 4.4 SR6 and 5 prior to 5.1 SR1 has an Untrusted Search Path vulnerability, exploitable by modifying environment variables to trigger automatic elevation of an attacker’s process launch.</p>
</blockquote>
<p>Avecto has also identified this CVE in its release notes, which can be found <a href="https://www.beyondtrust.com/docs/release-notes/privilege-management/windows-and-mac/windows/pm-windows-4-4-sr6.pdf">here</a>. They describe the fix as:</p>
<blockquote>
<p>Added a check to ensure computer level environment variables cannot be overridden by user-defined environment variables.</p>
</blockquote>
<p>However, neither of these descriptions provide enough detail to completely understand the vulnerability. Now that the nondisclosure window has passed and the CVE is publicly known, I would like to describe this vulnerability and exploit in more detail.</p>
<p><br /></p>
<h3 id="avecto-privilege-guard">Avecto Privilege Guard</h3>
<p>Avecto Privilege Guard is software used for endpoint privilege management. A common use case for this software is the scenario when a standard user needs limited administrative permissions. Rather than making the user an administrator, this software watches for programs to be executed, and if they match the configuration rules, automatically injects administrative permissions into the process’s security token.</p>
<p>Various rules and conditions can be used to identify which programs get this special treatment. Examples include file path, file name, trusted files (only files owned by administrators or SYSTEM), and digital signatures.</p>
<p>For this exploit, all rules that depend on the file path and include an environment variable as part of the path are vulnerable. For example, the following rule is vulnerable:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><AddAdmin>
<Rule FilePath="%ProgramFiles%\Wireshark\Wireshark.exe" />
</AddAdmin>
</code></pre></div></div>
<p><br />In this rule, whenever a standard user launches Wireshark, it would automatically be elevated by Avecto.</p>
<p>It should also be noted that the Avecto Management Console, which is a GUI front end for creating the rules file, automatically injects some System environment variables into paths when possible. Therefore, any rule that includes a file path of <u>c:\Program Files</u> is automatically converted to use the vulnerable <u>%ProgramFiles%</u> instead.</p>
<p><br /></p>
<h3 id="environment-variables">Environment Variables</h3>
<p>There are two types of Windows environment variables: User and System. User environment variables only apply to the current user logged in. System environment variables apply to all users of the computer. Windows has some default well-known System environment variables such as <u>%SystemDrive%</u>, <u>%WinDir%</u>, and <u>%ProgramFiles%</u> that typically resolve to <u>C:</u>, <u>C:\Windows</u>, and <u>C:\Program Files</u> respectively.</p>
<p>In the default scenario, when a System environment variable and User environment variable exist with identical names, the User environment variable takes precedence when referenced. It is due to this precedence ordering that this vulnerability exists.</p>
<p><br /></p>
<h3 id="exploit">Exploit</h3>
<p>Now it is time to exploit that Wireshark rule!</p>
<p>On the computer with this Wireshark rule in effect, <u>%ProgramFiles%</u> resolves to <u>C:\Program Files</u>. This means that when the standard user launches <u>C:\Program Files\Wireshark\Wireshark.exe</u>, this rule is matched and the process gets the administrator token injected by Avecto. This is the expected result.</p>
<p>To exploit as a standard user we need to create a User environment variable that matches. To do this, we launch a cmd prompt and run the following command:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>setx ProgramFiles c:\Users\<StandardUser>\Desktop
</code></pre></div></div>
<p><br />This creates a user environment variable called ProgramFiles that points to an attacker’s writable folder.</p>
<p>Next, the rule file path directory is matched by creating a folder called <u>Wireshark</u> on the Desktop.</p>
<p>Finally, the attacker’s code is dropped into this folder and renamed to <u>Wireshark.exe</u>.</p>
<p>Now when the attacker’s code is launched, Avecto matches the rule to the attacker’s code and it automatically gives administrative permissions to the process launch. We have just exploited a Privilege Escalation vulnerability as any standard user can now launch any code with administrative permissions without needing to enter administrator credentials. From this point it is trivial to elevate to SYSTEM, giving complete ownership of the computer to the attacker.</p>
<p><br /></p>
<h3 id="the-fix">The Fix</h3>
<p>As described in the release notes, the fix was fairly simple. Instead of using User environment variables before System environment variables when resolving rule file paths, the ordering has been switched. Now any standard Windows environment variables referenced in the rule file paths will always resolve to the correct System environment variable.</p>
<p><br /></p>
<h3 id="timeline">Timeline</h3>
<blockquote>
<p>04/13/2018 - Discovered vulnerability.</p>
<p>04/23/2018 - Reported vulnerability to Avecto.</p>
<p>04/24/2018 - Avecto confirmed vulnerability.</p>
<p>05/09/2018 - Avecto released fix and release notes.</p>
<p>05/10/2018 - Mitre assigned a CVE number.</p>
<p>05/11/2018 - Avecto published updated release notes.</p>
<p>07/30/2018 - Nondisclosure agreement with Avecto expired.</p>
<p>01/14/2019 - Request to make the CVE public submitted to Mitre.</p>
<p>04/17/2019 - Mitre made the CVE public.</p>
</blockquote>
CVE-2018-6689 - McAfee - Improper Authentication2018-10-02T00:00:00+00:00https://hackandpwn.com/cve-2018-6689<p>Authentication bypass vulnerability in McAfee Data Loss Prevention Endpoint (DLP Endpoint) 10.0.x earlier than 10.0.510, and 11.0.x earlier than 11.0.600 allows attackers to bypass local security protection via specific conditions.</p>
<p>It is possible to access a user’s session on a locked Windows machine if certain DLP Endpoint configurations are made by the DLP Endpoint administrator to include hyperlinks in user notification dialogs, and an actor performs specific actions on a protected machine.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10252&showDraft=true">Trellix Security Bulletin SB10252</a></p>
CVE-2018-6674 - McAfee - Improper Privilege Management2018-05-09T00:00:00+00:00https://hackandpwn.com/cve-2018-6674<p>When the process McTray.exe runs with elevated privileges, VSE might spawn a process inheriting the parent’s privileges. This issue exposes the system to be manipulated by an attacker.</p>
<p>Privilege Escalation vulnerability in Microsoft Windows client (McTray.exe) in McAfee VirusScan Enterprise (VSE) 8.8 earlier than Patch 13 may allow local users to spawn unrelated processes with elevated privileges via the system administrator granting McTray.exe elevated privileges.</p>
<p><a href="https://kcm.trellix.com/corporate/index?page=content&id=SB10237&showDraft=true">Trellix Security Bulletin SB10237</a></p>