HackAndPwn
Security & Vulnerability Researcher / Professional Penetration Tester

Windows 7 ESU Patching

With the May 2020 Windows 7 updates, I went on a mission to determine the minimum set of updates needed to enable all features within Windows 7, including optional hotfixes, and to have the most up-to-date installation possible. After extensive testing, I concluded that 42 updates not offered through Windows Update would need to be installed to reach this objective. The following sections describe the updates required and provide links to each.

The base test image used for this research was 64-Bit Windows 7 Ultimate SP1. Microsoft Update was enabled, and all updates offered through Windows Update were installed prior to starting this investigation.

I highly recommend both the KUC Update Checker and WSUS Offline Update utilities. I used both during this investigation in order to get to this minimum required set.

Enabling ESU Updates

This first section holds a single update required for ESU updates further down the list. A detailed analysis on this update can be found on my Windows 7 ESU Analysis post.

KB NumberNameDescriptionDownload
KB4528069Windows 7 SP1 ESU VerificationThis optional update will help verify that eligible Windows 7 SP1 devices can continue to get Extended Security Updates (ESUs) after the end of support date of January 14, 2020.Windows6.1-KB4528069-x64.msu
Windows6.1-KB4528069-x86.msu

Installing Optional Features

The next section of updates enables all optional features not available through Windows Update. The notable exception from this list is the AD LDS feature, which is discussed in more detail in the next section.

After installing the Work Folders for Windows feature (KB2891638), an update may appear as available in Windows Update (KB3081954). However, this update is not required and is replaced with Service Pack 2 (KB3125574). Once KB3125574 is installed, KB3081954 will no longer appear in Windows Update.

KB NumberNameDescriptionDownload
KB917607Windows Help 32-bit Compatibility UpdateWinHlp32.exe is required to display 32-bit Help files that have the ".hlp" file name extension. To view .hlp files on Windows 7, you need to install this application.Windows6.1-KB917607-x64.msu
Windows6.1-KB917607-x86.msu
KB943790File Management API Extensions For BitLockerInstall this update to extend the File Management APIs to not only enable the discovery and restoration of deleted files from volumes that are not encrypted but also enable the recovery of files from BitLocker encrypted volumes.Windows6.1-KB943790-x64.msu
Windows6.1-KB943790-x86.msu
KB958559Windows Virtual PCWindows Virtual PC can be used to run more than one operating system at the same time on one computer, and to run many productivity applications on a virtual Windows environment, with a single click, directly from a computer running Windows 7.Windows6.1-KB958559-x64.msu
Windows6.1-KB958559-x86.msu
1.3.7600.16423Windows XP ModeWindows XP Mode provides a 32-bit virtual Windows XP Professional Service Pack 3 (SP3) environment, which makes it easy to run many of your productivity programs that run on Windows XP on Windows 7.Windows-XP-Mode-en-us.exe
Part 1
Part 2
Part 3
Part 4
Part 5
KB958830Remote Server Administration ToolsRemote Server Administration Tools for Windows 7 SP1 enables IT administrators to manage roles and features that are installed on computers that are running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003, from a remote computer that is running Windows 7 SP1.Windows6.1-KB958830-x64.msu
Part 1
Part 2
Part 3
 
Windows6.1-KB958830-x86.msu
Part 1
Part 2
Part 3
KB969168Microsoft AgentMicrosoft Agent is a set of software services that supports interactive characters within the Microsoft Windows display. Examples of the Microsoft Agent characters are the Office Assistants.Windows6.1-KB969168-x64.msu
Windows6.1-KB969168-x86.msu
KB970985Remote Administration Tools For Windows Media ServicesThe Remote Administration Tools for Windows Media Services update for Windows 7 SP1 enables the Windows Media Services snap-in for the Microsoft Management Console.Windows6.1-KB970985-x64.msu
Windows6.1-KB970985-x86.msu
KB974150Windows NTBackup UtilityNTBackup is the legacy Windows backup application included in previous versions of Windows. Files can be backed up to tape, ZIP drives, floppy disks, and hard drives using a proprietary backup format (BKF). It also features integration with Task Scheduler and has several command line switches for scheduled automated backups.Windows6.1-KB974150-x64.msu
Windows6.1-KB974150-x86.msu
KB974405Windows Identity FoundationThe Windows Identity Foundation helps simplify user access for developers by externalizing user access from applications via claims and reducing development effort with pre-built security logic and integrated .NET tools.Windows6.1-KB974405-x64.msu
Windows6.1-KB974405-x86.msu
KB974674Windows NTBackup Restore UtilityThe Windows NTBackup Restore Utility for Windows 7 SP1 restores backups that are made on Windows XP and on Windows Server 2003 to computers that are running Windows 7 and Windows Server 2008 R2.Windows6.1-KB974674-x64.msu
Windows6.1-KB974674-x86.msu
KB981390Windows Server Update Services Best Practices AnalyzerYou can use the Windows Server Update Services (WSUS) update for Best Practices Analyzer to scan a server that is running WSUS. A BPA scan of WSUS can help you determine whether WSUS was properly installed and configured on your server. Scan results are displayed as a list of issues that you can sort by severity, and results include recommendations for fixing issues and links to instructions. No configuration changes are made by running the scan.Windows6.1-KB981390-x64.msu
KB981392Application Server Best Practices AnalyzerYou can use the Application Server update for Best Practices Analyzer to scan a server that is running the Application Server role. BPA can help you determine whether Application Server was installed correctly on a server. Scan results are displayed as a list of issues that you can sort by severity, and results include recommendations for fixing issues and links to instructions. No configuration changes are made by running the scan.Windows6.1-KB981392-x64.msu
KB2386667Application Server Best Practices Analyzer Rules RevisionInstall this update to revise the rules of the Best Practice Analyzer (BPA) for the Application Server role.Windows6.1-KB2386667-x64.msu
KB2666914DirectAccess Connectivity Assistant 2.0The Microsoft DirectAccess Connectivity Assistant (DCA) version 2.0 is used by DirectAccess client computers running Windows 7, to connect to Windows Server 2012 servers running DirectAccess.Windows6.1-KB2666914-x64.msu
Windows6.1-KB2666914-x86.msu
KB2790621Windows Server Essentials ConnectorWindows Server Essentials Connector is software that helps you connect your PC or Mac client to Windows Server 2012 R2 with the Windows Server Essentials Experience server role enabled. It also enables and manages key client-side functionality of Windows Server Essentials Experience.Windows6.1-KB2790621-x64.msu
Windows6.1-KB2790621-x86.msu
KB2891638Work Folders For WindowsWork Folders is a place to store your work files so that you can open them from all computers and devices, even when you are offline.Windows6.1-KB2891638-x64.msu
Windows6.1-KB2891638-x86.msu
KB2959936Embedded Lockdown Manager Feature Set UpdateEmbedded Lockdown Manager uses Windows Management Instrumentation (WMI) providers to detect and change configuration settings and can export the settings to PowerShell scripts.Windows6.1-KB2959936-x64.msu
Windows6.1-KB2959936-x86.msu
KB2990999Internet Explorer 11 Web Driver ToolThe IE WebDriver Tool enables developers to create automated tests that simulate users interacting with webpages and report back results in Internet Explorer 11. It can also manage testing across multiple windows, tabs, and webpages in a single session.Windows6.1-KB2990999-x64.msu
Windows6.1-KB2990999-x86.msu
KB3191566Windows Management Framework 5.1Windows Management Framework 5.1 includes updates to Windows PowerShell, Windows PowerShell Desired State Configuration (DSC), Windows Remote Management (WinRM), and Windows Management Instrumentation (WMI).Windows6.1-KB3191566-x64.msu
Windows6.1-KB3191566-x86.msu

Installing the AD LDS Optional Feature

The next table describes the updates required to enable and patch AD LDS.

There is an issue if the AD LDS feature is installed after Windows 7 SP1. If this situation occurs, updates included within the Convenience Rollup (SP2) do not apply correctly. Therefore, these updates need to be installed manually to fully update the feature. More details can be found here.

There are a dozen different updates related to AD LDS on Windows 7 SP1. However, after careful analysis, only half of them have components not replaced by other updates. These unnecessary updates related to AD LDS are: KB2898997, KB2922852, KB3042816, KB3160352 , KB3184471, and KB3198591. The required updates are listed in the table below.

After installing the first AD LDS Update (KB975541), an update may appear as available in Windows Update (KB2853587). However, this update is not required and is replaced with KB3012660. Once KB3012660 is installed, KB2853587 will no longer appear in Windows Update.

After installing the first AD LDS Update (KB975541), another update may appear as available in Windows Update (KB3184471). However, this update is not required and is replaced with the latest ESU Windows 7 Cumulative Update. Once that is installed, KB3184471 will no longer appear in Windows Update.

KB NumberNameDescriptionDownload
KB975541AD LDS FeatureActive Directory Lightweight Directory Services (AD LDS) provides directory services for directory-enabled applications.Windows6.1-KB975541-x64.msu
Windows6.1-KB975541-x86.msu
KB2462137AD MMC & ADAC Country UpdateThe Active Directory Users and Computers MMC snap-in and Active Directory Administrative Center display Serbia and Montenegro as one country instead of as two countries in Windows 7 SP1.Windows6.1-KB2462137-v2-x64.msu
Windows6.1-KB2462137-v2-x86.msu
KB2539513Repadmin Indefinate QueryThe repadmin command keeps running when you try to look up the users who have their passwords stored on the RODC.Windows6.1-KB2539513-x64.msu
Windows6.1-KB2539513-x86.msu
KB2589154AD MMC RODC UpdateActive Directory Users and Computers MMC snap-in crashes when you try to remove an RODC in Windows 7 SP1.Windows6.1-KB2589154-x64.msu
Windows6.1-KB2589154-x86.msu
KB2647644AD Certificate Use Issuer UpdateYou cannot clear the "Use Issuer for alternate security identity" check box in Windows 7 SP1.Windows6.1-KB2647644-v2-x64.msu
Windows6.1-KB2647644-v2-x86.msu
KB2790338AD FS Update Rollup 3Update Rollup 3 for Active Directory Federation Services (AD FS) 2.0.Windows6.1-KB2790338-v2-x64.msu
KB3012660Unable to install Security Update KB2853587"The update is not applicable to your computer" error when you install update 2853587 in Windows 7 SP1 with AD LDS.Windows6.1-KB3012660-x64.msu
Windows6.1-KB3012660-x86.msu

Installing the Convenience Rollup (SP2) and running the System Update Readiness Tool

There are two large updates that can be applied next. The first is the Windows 7 Convenience Rollup, which is also considered SP2 for Windows 7 and includes a collection of hotfixes and updates. The second update is the System Update Readiness Tool. This update will not show as installed, so this is included to be executed once (verifying SP2 installation integrity).

After installing Service Pack 2 (KB3125574), an update may appear as available in Windows Update (KB4539601). However, this update is not required and is replaced with the latest ESU Windows 7 Cumulative Update. Once that is installed, KB4539601 will no longer appear in Windows Update.

KB NumberNameDescriptionDownload
KB3125574Service Pack 2This rollup package includes most updates that were released after the release of SP1 for Windows 7, through April 2016, intended to make it easy to integrate these fixes.Windows6.1-KB3125574-v4-x64.msu
Part 1
Part 2
Part 3
Part 4
Part 5
 
Windows6.1-KB3125574-v4-x86.msu
Part 1
Part 2
Part 3
Part 4
KB947821System Update Readiness ToolThis tool fixes inconsistencies found in the Windows servicing store which may prevent the successful installation of future updates, service packs, and software.Windows6.1-KB947821-v34-x64.msu
Part 1
Part 2
Part 3
Part 4
Part 5
Part 6
 
Windows6.1-KB947821-v34-x86.msu
Part 1
Part 2
Part 3

Optional Software Updates

There are seven Windows 7 optional software updates that do not require an ESU license to install.

VersionNameDescriptionDownload
5.3.0.0Attack Surface AnalyzerAttack Surface Analyzer takes a snapshot of your system state before and after the installation of product(s) and displays the changes to a number of key elements of the Windows attack surface.Attack-Surface-Analyzer-x64.msi
Attack-Surface-Analyzer-x86.msi
5.52Enhanced Mitigation Experience ToolkitThe Enhanced Mitigation Experience Toolkit (EMET) helps raise the bar against attackers gaining access to computer systems. EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software. EMET benefits enterprises and all computer users by helping to protect against security threats and breaches that can disrupt businesses and daily lives.EMET-Setup.msi
12.0.0.0Enterprise Mode Internet Explorer Site List ManagerThis tool lets IT Professionals create and update the Enterprise Mode Site List in the version 2.0 (v.2) XML schema. The Enterprise Mode schema has been updated to v.2 to be easier to read and to provide a better foundation for future capabilities.EM-IE-Site-List-Manager.msi
10.0.237.0Windows JournalWindows Journal has been removed from certain versions of the Windows Operating System. This update allows users to install Windows Journal on versions of Windows where it has been removed.Journal-en-us-x64.msi
Journal-en-us-x86.msi
2.3.2208Microsoft Baseline Security AnalyzerThe Microsoft Baseline Security Analyzer provides a streamlined method to identify missing security updates and common security misconfigurations.MBSA-Setup-x64-EN.msi
MBSA-Setup-x86-EN.msi
6.3.9723.0Microsoft Camera Codec PackThe Microsoft Camera Codec Pack enables the viewing of a variety of device-specific file formats in Windows Live Photo Gallery as well as other software that is based in Windows Imaging Codecs (WIC). Installing this package will allow supported RAW camera files to be viewable in Windows Explorer.Microsoft-Camera-Codec-Pack-x64.msi
Microsoft-Camera-Codec-Pack-x86.msi
10.0.7063.0Utilities and SDK for Subsystem for UNIX-based ApplicationsUtilities and SDK for Subsystem for UNIX-based Applications (SUA) includes the following base utilities, software development kits (SDKs), and shells for use with Subsystem for UNIX-based Applications: Base subsystem commands and utilities, SVR-5 commands and utilities, Base subsystem SDK, GNU SDK, GNU commands and utilities, SCO commands and utilities, UNIX-based Perl, Microsoft Visual Studio® Debugger Extension for debugging POSIX applications, Korn and C shells, and Subsystem for UNIX-based Applications HTML Help files (\*.chm). This release allows you to develop x64-based applications by using SUA, and develop and port custom UNIX-based applications to Windows by using the Windows OCI (Oracle Call Interface) and Windows ODBC libraries.Utilities-and-SDK-for-Subsystem-for-UNIX-based-Applications-AMD64.exe
Part 1
Part 2
Part 3
 
Utilities-and-SDK-for-Subsystem-for-UNIX-based-Applications-X86.exe
Part 1
Part 2
Part 3

Non-ESU SP2 Hotfixes

There are six hotfixes available to update components after Service Pack 2 has been installed. These do not require an ESU license to install.

KB NumberNameDescriptionDownload
KB2818604AMD Microcode UpdateA microcode update is available for Windows 7-based computers that use AMD processors.Windows6.1-KB2818604-x64.msu
Windows6.1-KB2818604-x86.msu
KB3046480.NET Framework 1.1 Migration CheckThis update enables the system to determine whether to migrate the Microsoft .NET Framework 1.1 to a later version of Windows when you upgrade from Windows 7 to a later version of Windows. This determination is based on the usage of the .NET Framework 1.1.Windows6.1-KB3046480-x64.msu
Windows6.1-KB3046480-x86.msu
KB3064209Intel Microcode UpdateJune 2015 Intel CPU microcode update for Windows.Windows6.1-KB3064209-x64.msu
Windows6.1-KB3064209-x86.msu
KB4072650Hyper-V Integration Components UpdateThis update installs the latest integrated components for Windows 7 Guest Virtual Machines (VMs) that are running on a Windows 10-based or Windows Server 2016-based host, or a Windows Server 2012 R2-based host.Windows6.1-KB4072650-x64.cab
Windows6.1-KB4072650-x86.cab
KB4524752Windows 7 SP1 Support NotificationAfter 10 years of servicing, January 14, 2020 is the last day Microsoft will offer security updates for computers that run Windows 7 Service Pack 1 (SP1). This update enables reminders about Windows 7 end of support.Windows6.1-KB4524752-x64.msu
Windows6.1-KB4524752-x86.msu
KB4578847Update for Application and Device CompatibilityAdds functionality for evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.Windows6.1-KB4578847-x64.msu
Windows6.1-KB4578847-x86.msu

ESU Updates

This section describes the latest ESU updates available for Windows 7. All of these updates are cumulative containing fixes from all previous versions of the updates. An ESU license is required to install these updates, and only the latest one needs to be installed.

KB NumberNameDescriptionDownload
KB5034865February 2024 Servicing Stack UpdateThis update makes quality improvements to the servicing stack, which is the component that installs Windows updates. Servicing stack updates (SSU) makes sure that you have a robust and reliable servicing stack so that your devices can receive and install Microsoft updates.Windows6.1-KB5034865-x64.msu
Windows6.1-KB5034865-x86.msu
KB5037780*May 2024 Windows 7 Cumulative UpdateSecurity and Quality Rollup for Windows 7 SP1.Windows6.1-KB5037780-x64.msu
Part 1
Part 2
Part 3
Part 4
Part 5
 
Windows6.1-KB5037780-x86.msu
Part 1
Part 2
Part 3
KB5036626April 2024 .NET Framework 3.5.1 UpdateSecurity and Quality Rollup for .NET Framework 3.5.1 for Windows 7 SP1.Windows6.1-KB5036626-x64.msu
Windows6.1-KB5036626-x86.msu
KB5037916May 2024 .NET Framework 4.8 UpdateSecurity and Quality Rollup for .NET Framework 4.8 for Windows 7 SP1.ndp48-KB5037916-x64.exe
ndp48-KB5037916-x86.exe

* Note: a new ESU package has been integrated into this update. For details please see this post: Windows 7 ESU Analysis Updates.

Root Certificate Updates

Finally, the latest Microsoft Root Certificates need to be installed into the Local Computer Trusted Root Authority Certificate Store. A batch file to automatically install all certificates and revocation lists can be found here: Import.cmd

DateTypeDownload
2018-08-02CertificateMicRooCerAut2011_2011_03_22.crt
2018-08-02CertificateMicrosoft ECC Product Root Certificate Authority 2018.crt
2018-08-02CertificateMicrosoft ECC TS Root Certificate Authority 2018.crt
2018-08-02CertificateMicrosoft Time Stamp Root Certificate Authority 2014.crt
2020-01-22CertificateMicrosoft ECC Root Certificate Authority 2017.crt
2020-01-22CertificateMicrosoft EV ECC Root Certificate Authority 2017.crt
2020-01-22CertificateMicrosoft RSA Root Certificate Authority 2017.crt
2020-01-22CertificateMicrosoft EV RSA Root Certificate Authority 2017.crt
2024-03-04Revocation ListMicRooCerAut_2010-06-23.crl
2024-03-12Revocation ListMicrosoft ECC Product Root Certificate Authority 2018.crl
2024-03-12Revocation ListMicrosoft ECC TS Root Certificate Authority 2018.crl
2024-03-21Revocation ListMicrosoft RSA Root Certificate Authority 2017.crl
2024-03-22Revocation ListMicrosoft EV ECC Root Certificate Authority 2017.crl
2024-03-22Revocation ListMicrosoft EV RSA Root Certificate Authority 2017.crl
2024-04-11Revocation ListMicrosoft Time Stamp Root Certificate Authority 2014.crl
2024-05-03Revocation ListMicrosoft ECC Root Certificate Authority 2017.crl

Conclusion

Once these updates are installed on top of an up-to-date Windows 7 SP1 installation, the OS has been completely updated with hotfixes and optional features. All of these updates can be found on this GitHub repository: Windows 7 Patching.

The goal is to keep this list updated as changes are introduced. Please reach out to me via X or GitHub if there is an update that is missing, if there is an update in this list that you feel may not be needed, or if there are any other questions or feedback.

Update 2024-05-16

  • Replaced April 2024 Monthly Update (KB5036967) with May 2024 Monthly Update (KB5037780).
  • Replaced April 2024 .NET Framework 4.8 Update (KB5036615) with May 2024 .NET Framework 4.8 Update (KB5037916).
  • Updated Microsoft ECC Root Certificate Authority 2017.crl.
  • Updated Microsoft Time Stamp Root Certificate Authority 2014.crl.

For previous updates to this post, see Windows 7 ESU Patching Changelog.


buy me a coffee