Components version shipped with Windows 2000:

• Internet Explorer 5.01 (5.0.3700.1000) + MSXML Parser 2.5 + WSH 5.1
• DirectX 7.0 (4.07.00.0700)
• MDAC 2.5 (2.53.6200.1)
• Windows Media Player 6.4 (6.4.09.1125)
• Windows Installer 2 (2.00.2600.1183)

UPDATED

Required for Windows Update Agent 2.0 & Windows Update V6
Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773) April 9, 2005
com_microsoft.842773_W2K_SP5_WinSE_106507
Microsoft Windows Installer 3.1 May 13, 2005
com_microsoft.893803_WindowsInstaller_v31


Update Rollup 1 for Windows 2000 Service Pack 4 (KB891861) April 30, 2005
Ensemble de mises à jour cumulatives 1 pour Windows 2000 Service Pack 4 (KB891861) April 30, 2005
com_microsoft.891861_W2K_SP4_URP
Security Update for Windows 2000 (KB894320) May 10, 2005
Mise à jour de sécurité pour Windows 2000 (KB894320) May 10, 2005
com_microsoft.894320_W2K_SP5_x86_WinSE_154269
Security Update for Windows 2000 (KB######) June 14, 2005
Mise à jour de sécurité pour Windows 2000 (KB######) June 14, 2005
com_microsoft.893066_W2K_SP5_x86_WinSE_TP21_142201 ?
com_microsoft.896422_W2K_SP5_x86_WinSE_151587
com_microsoft.890046_W2K_SP5_x86_WinSE_142357
com_microsoft.896358_W2K_SP5_x86_WinSE_157097
Security Update for Windows 2000 (KB901214) July 12, 2005
Mise à jour de sécurité pour Windows 2000 (KB901214)
com_microsoft.901214_W2K_SP5_x86_WinSE_163250
Security Update for Windows 2000 (KB######) Aug 9, 2005
Mise à jour de sécurité pour Windows 2000 (KB######) Aug 9, 2005
com_microsoft.893756_W2K_SP5_x86_WinSE_153559
com_microsoft.896423_W2K_SP5_x86_WinSE_155328
com_microsoft.899587_W2K_SP5_x86_WinSE_162599
com_microsoft.899588_W2K_SP5_x86_WinSE_159531

Others components updates
Security Update for Microsoft Data Access Components (KB832483)
com_microsoft.Q832483_MDAC_x86
Critical Update for Windows Media Player Script Commands (KB828026)
com_microsoft.Q828026_MSRC3326_WMP_XP_W2K_W2K3 ?
Critical Update for ADODB.stream (KB870669)
com_microsoft.870669_ADODB_Killbit_Win2000_32bit ?

Updates for updated IE and Internet Tools component
Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB896727)
com_microsoft.896727_IE_6_SP1_x86_163829
Cumulative Security Update for Outlook Express 6 SP1 (KB823353)
com_microsoft.Q823353_OE6_SP1
814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP)
com_microsoft.Jscript_ win2K_XP_56_6003

Updates for original components
Cumulative Security Update for Internet Explorer 5.01 Service Pack 4 (KB896727)
com_microsoft.896727_IE_501_SP4_x86_162912
Cumulative Security Update for Outlook Express 5.5 Service Pack 2 (KB823353)
com_microsoft.Q823353_OE55SP2
814078: Security Update (Microsoft Jscript version 5.1, Windows 2000)
com_microsoft.Jscript_Win2K_51_5999
Security Update for DirectX (KB839643)
com_microsoft.DirectX_839643_W2K_IB="Security Update for DirectX 7.0 (KB839643)"
or
com_microsoft.819696_nonDirectX_8_CRITICAL="Security Update for Microsoft Windows (KB819696)"
com_microsoft.DirectX_839643_W2K_8_1="Security Update for DirectX 8.1 (KB839643)"
or
com_microsoft.DirectX_839643_W2K_9_0="Security Update for DirectX 9.0 (KB839643)"


Notes
Update Rollup for Windows 2000 does not contain updates for individual Windows components not included with a clean slipstream install of Windows 2000 SP4. If there are components previously installed or updated on the system, the individual security updates must be downloaded separately from Windows Update.

Examples include the following:
Security Update for DirectX 7 / 8.1 / 9.0b (KB839643)
DirectX 9.0c: n/a


Windows 2000 Professional Patches offline patching batch | Author: clark | Last updated: 17th July 2005

Microsoft Internet Explorer 6 Service Pack 1 (Windows 2000) Version 6.0.2800.1106

Microsoft GDI+ Detection Tool (KB873374)

DirectX 9.0c End-User Runtime Version 4.09.0000.0904

Windows Media Player 9 Series

Root Certificates Update

Microsoft .NET Framework version 1.1

+--------------------------------------------------------------------------------------------+
No longer a required Windows 2000 Update on WU
Microsoft Windows Journal Viewer 1.5

No longer a required Windows 2000 Update since release of rollup
Update for Windows 2000 (KB820888)

No longer a required Windows 2000 Update since release of rollup
Recommended Update for Windows 2000 (822831)

Pas mal ...

Thanks, Bilou!

February 2005 version new features:
included plugins to build DX9C and GDI+ silent packages
Special Case HFs improvement to deal with OE6 HFs install order.
Not solved:
About 841356 leftover files in two I386 subfolders and DOSNET.INF not clean

Obsolete
2KCreate (June 2004 version) issues:
The two digits refers to clark patch list on first post.

• 03 DirectX9c
  solution: DX9C silent package or use DirectX9b OPK + KB839643
• 04 818043
  You can safely delete 56BIT subfolder and his content (1 file) and remove reference in DOSNET.INF. This file was used for Windows version outside of the US 'til the end of 128 bits encryption export restrictions.
  solution: _818043.cmd
• 44 KB814078
  js56nen.exe not reported as installed by WU
  solution: replace with scripten.exe
• 24 KB841356
  solution: _841356.cmd
• 19 KB873374
  solution: GDI+ Detection Tool silent package
• 12 KB887797
  solution: Problems installing KB887797 over KB823353
• 14 KB823353

To solve the issues listed above before doing the ISO and burning it, you have to set 2 values to NO in XPCREATE.INI


I recommend to download first all Hotfixes, renaming various IE Hotfixes IE6.0sp1-KB<number>-x86-<language>.exe to their short name is recommended. Otherwise, XPCREATE may fail renaming IE hotfixes in SVC-HF2 and SVC-POS to their short name. Create your own package for some Hotfixes and before launching XPCREATE.CMD, set to NO in XPCREATE.INI

Windows 2000 Professional & Server SP4 HotFix List ENGLISH
Windows 2000 Professionnel & Serveur SP4 HotFix List FRANCAIS
Download plug-in which use HotFix List is a feature available only in the commercial release of XPCREATE.

Alternative:
You can use this URL to get links for the latest Hotfixes
Windows 2000 Post SP4 / PostSP4 HOTFIXES

Other alternative:
use the batch from clark (see first post on this thread)

Thanks again, Bilou, I've not forgotten!

Affected Components:
Windows Media Services 4.1 (included with Microsoft Windows 2000 Server)

• Microsoft Security Bulletin MS03-022
  Vulnerability in ISAPI Extension for Windows Media Services Could Cause Code Execution (822343)
  WindowsMedia41-KB822343-ENU.exe
  WindowsMedia41-KB822343-FRA.exe
• Microsoft Security Bulletin MS04-008
  Vulnerability in Windows Media Services Could Allow a Denial of Service (832359)
  WindowsMedia41-KB832359-ENU.exe
  WindowsMedia41-KB832359-FRA.exe

Layer Two Tunneling Protocol (L2TP) and Internet Protocol security (IPSec) Functionality on computers that are running Windows 2000 Professional
To download this update, visit the following to use the: Microsoft Windows Update Catalog Web Site

• 818043 L2TP/IPSec NAT-T update
  Q818043_W2K_SP5_x86_EN_8771f25008d3c5f8c7aa577b615f619.EXE
  Q818043_W2K_SP5_x86_FR_fffa439f823b860dc5d9e21fbdfdd08.exe

Thanks, Bilou_Gateux!

I have also updated the Current Hotfixes List on the Web Site. Though I haven't checked, I would imagine that they are similar. Your list, however has links: Mine does not.

@GM

Wouldn't be nice to have 1 DataBase for all MSFN where you can grab the Hotfix list from, so only 1 update is needed...

(EX: Aaron is updating constantly the XP list, if he would have updated A Main DB List, you could grab your list from his automaticly)

just a thought...

DirectX 8.1b Runtime for Windows 2000 Version 4.08.01.0901

Microsoft Data Access Components (MDAC) 2.8 Version 2.80.1022.3

• download details Date Published: August 4, 2003
  The MDAC 2.8 release installs the same Data Access core components as Microsoft Windows Server 2003.
  This release does not include Microsoft Jet, the Microsoft Jet OLE DB Provider, the Desktop Database Drivers ODBC Driver, or the Visual FoxPro ODBC Driver.
  ENU mdac_typ.exe
  DEU mdac_typ.exe
  FRA mdac_typ.exe
• Silent install: MDAC_TYP.EXE /Q:A /R:N /C:"DASETUP.EXE /Q /N"

Microsoft Data Access Components (MDAC) 2.7 Service Pack 1 Refresh Version 2.71.9040.2

Thanks, Bilou_Gateux. I have updated the English Windows 2000 Test Version list (desole pour les non-anglophones ... ), as well as the Current Hotfix Page.

Windows 2003 Server English

Posted 30 September 2004

Thanks for the list, SlackNet! ... Hope someone finds it in the Windows 2000 thread!

For More Information
Windows Security Updates Summary for October 2004

ADD SVC-HF1\Windows2000-KB<hotfix_nb>-x86-<language>.exe | MD5 Hash

840947 FILE VERSION


Explorer GUI never load after last installation (on real box) reboot during winlogon... i can only ALT+CTRL+DEL to get Task Manager and shutdown computer...

Thanks once again, Bilou_Gateux.

I am currently working on updating the XP SP2 list, then I will do the 2K lists.

I am not sure what is hanging your installation, but most often it is a call from RunOnceEx (Windows puts many there). My suggestion would be to start Regedit when you press CTRL-ALT-DEL, and see what is left there. The command in question will not be shown there, but the next command will be. Then run setup again, and interupt with SHIFT-F10, at around the end of setup, look at the registry again, and see which command is just before the ones you previously noted.

I'll report back when I make some progress on my end.

Obsolete
Until GM give us the solution to install 834707 under Windows 2000, i use this method... (not recommended if you don't know what you're doing)

Download Cumulative Security Update for Internet Explorer 6 Service Pack 1 for Windows XP and Windows 2000 (KB834707)
Create C:\Temp\KB834707.W2K folder
Extract package :
IE6.0sp1-KB834707-Windows-2000-XP-x86-ENU.exe /c /t:C:\Temp\KB834707.W2K /Q

Download Cumulative Security Update for Internet Explorer 6 Service Pack 1 for Windows 98, Windows NT and Windows Millennium (KB834707)
Create C:\Temp\KB834707.NT4 folder
Extract package :
IE6.0sp1-KB834707-Windows-NT4sp6a-98-ME-x86-ENU.exe /c /t:C:\Temp\KB834707.NT4 /Q

Create SED file (see sample for French version) and save it to c:\Temp\KB834707.SED

run iexpress c:\temp\KB834707.SED and create package


You have now a Type 2 HotFix KB834707.EXE
copy KB834707.EXE and Q834707.CAT to CDROOT\I386\SVCPACK

Edit SVCPACK.INF and replace old 867801 with 834707


Create compressed version of the updated files from C:\Temp\KB834707.NT4 --> CDROOT\I386
MAKECAB /D CompressionMemory=21 /D CompressionType=LZX /L <target_path> <source_path>\<filename>

you're done

to avoid WindowsUpdate to claim Q834707 not installed
Value had to be changed from Q834707 to KB834707 in registry

Thanks, Bilou. I am looking into both that error, and finding a way to add Windows Media Connect to Windows XP at the moment. It looks like you saved me some work there. For some reason, with that update (if that is the "bad" one) my attempt to start RunOnceEx during installation with IE SP1 does not work. This results in the RunOnceEx problem I described earlier. I have about another hour free now, otherwise I will continue tomorrow.

More later ...

It seems that the KB841356 update is giving me problems. Can you, Bilou, confirm that this is installing OK for you? When I slipstream it, I never get to the shell, even after multiple forced reboots. I hope it is not due to the fact that I am using the un-released version - but I believe you are, as well. Are you?

I thought I was the only one with the taskmanager-only OS! Good thing I started reading this thread!

I read that there seems to be a lot of problems with the latest round of fixes. I also read on a website that there is a problem with the 841356 and 834707 patches with the shlwapi.dll file. Both hotfixes have it. Someone says that there's something with the same filesize and version but different checksums. Maybe that's a clue? I haven't run xpcreate after removing 834707 one yet to see if that's the problem.

Here the latest build i have make (XPCreate 17 SEP 2004) with a French 2K Server SP4 and installed on a real box without any problems.

• All my HF's are renamed to their 8.3 short name in SVC-??? folders (except for SVC-HF1)
• I don't add Journal Viewer to my list of HF
• After the end of xpcreation, manually edit SVCPACK.INF to replace HF1 KB834707 with my own HF2 build, replace KB8347~1.CAT file and 834707.EXE in SVCPACK folder with Q834707.CAT and KB834707.EXE.
• My HF2 KB834707.EXE is no longer digitally signed but the content is still signed (inf file not modified) and Q834707.CAT OK.
• Edited DOSNET.INF and removed references to I386 subfolders added by original KB834707.EXE HF Type 1 integration. (details in previous post)
• I don't create the ISO and burn it to CDRW
• install directly from %_source%=<PREPDIR>\CDROOT stored on a external USB Drive to %_target%=C: and launch
  %_source%\i386\winnt32.exe /s:%_source%\I386 /unattend:%_target%\unattend.txt /syspart:%_target% /tempdrive:%_target% /makelocalsource /noreboot
  from BartPE boot CD)

I don't quite understand why it works for you ... The problem I was having I have traced to the file SHLWAPI.DLL that is in the update 841356. The file that shold be slipstreamed is in one of the sub-directories. The SHLWAPI.DLL in the root of the patch is much too old. Instead of trying to figure out how to slipstream the correct file version, I have created a new SVC directory for Type I Hotfixes that are applied from SVCPACK.INF, but not slipstreamed. This was the same solution to the OE updates that are added to the SVC-POS directory.

Another thing I noted was that the update KB873377 can be used to replace the update KB834707. I add that to SVC-HF1, and have had success with it.

So, in the end, I do have everything installed, Windows Update and the Baseline Security Advisor come up quite clean. I will post the updated "Current Hotfixes" Web Page, as well as the latest XPCTEST version in a day or two.

Thanks, Bilou, for the help!

In my I386 directory the compressed shlwapi.dl_ version 6.0.2800.1584 is the one i have manually compressed and copied to the i386 directory (with the 6 others files from 834707 HF ) and owerwrited the "too much old" put by 841356.
Because i have created my build with the 3 new 12 oct. 2004 Windows 2000 HF + 834707 ieupdate, having no success to install it, then do some manual job to integrate my own type 2 834707, change the order in SVCPACK.INF, edited DOSNET.INF and added compressed files to i386 dir, the installation goes successfull.

834707 FILE VERSION


841356 FILE VERSION


After editing the update.inf from 841356, i see conditional statement "Install these files depending of IE version on the system" :

• IE501 from RTM to SP4 version, use the "too much old DLL" version 5
• IE6 RTM use the one in subfolder XPCLNT_QFE_BINARYDROP version 6.0.2750.167
• IE6 SP1 use the one in subfolder XPSP2_BINARYDROP version 6.0.2800.1584

We should not have ref in dosnet.inf to shlwapi.dll in subfolders nor create these subfolders and only copy the needed version in i386.

Hotfixes for Corporate Use Only.
A security issue has been identified that could allow an attacker to compromise a computer running Internet Explorer and gain control over it. Update 873377 includes security update 834707 (MS04-038) and all Internet Explorer hotfixes.
Internet Explorer 6.0 Service Pack 1 (SP1) for Windows XP and Windows 2000 (873377)

So what other updates would this replace besides 834707?


http://www.microsoft.com/downloads/details...&displaylang=en


@GM
What is the newes XPCREATE? I have 19 SEP 2004. Your website still has the june version up.

Well the new updates proved to be a big headake for me as well.

I tryied with them all on 1st test run and install locked up.
On 2nd run I removed the odd ones and same result.

So I tried out what GM was doing with the 841356 not in and used 873377 instead and it work great

These are the updates that I used and there location:

Windows2000-KB840987-x86-ENU.EXE - SVC-HF1
Windows2000-KB841533-x86-ENU.EXE - SVC-HF1

IE6.0sp1-KB873377-Windows-2000-XP-x86-ENU.exe - SVC-HF1

JournalViewer1.5_KB886179_ENU.exe - SVC-HF2

Q317244.exe - SVC-X2M (msxml update)

After WU only reported 841356 to be needed. I am going to though it in now and try again. I'll post my results later.

EDIT: Update....

Yup 841356 made the install die so I put it runonce for now untill someone has an answer.

Thanks, BaTLeZone!

I think I have an answer to the last update, but I'm still testing it. I'll keep you posted.

@BatTLeZone

Can you run DXDIAG.EXE the first time you boot your fresh 2K install.

I get an error popup windows :
FRA : dxdiag.exe - point d'entrée introuvable
ENU : dxdiag.exe - Entry Point not Found



I would like to know if you get this error ?

Found the solution by googling
The procedure entry point DdEntry1 could not be located in the dynamic link library GDI32.dll.

Extract d3d8thk.w2k from dxnt.cab and copy to %windir%\system32
Then delete d3d8thk.dll from the c:/winnt/system32 folder.
Then rename the d3d8thk.w2k to d3d8thk.dll

Developpers @ M$ are unable to write patching routines that works...

(A quick note at the top, for what it's worth. DXDIAG.EXE works fine for me.)

Hey all. I've been through this a number of times, so I'll share my results with the hope that they may be useful to someone else. Thanks GreenMachine for the nice tool. It's a real time-saver.

This turned out to be a pretty long post. I know that the regulars here don't need all of this detail, but I was thinking of any newby who might be struggling with the same things. I posted here instead of in a new thread because it seemed to belong here.

(1) I'm using Windows 2000 Server SP4. For now I'm using IE6SP1, but I may go back to IE5.5SP2. I have done hotfix integration manually, and it was a real PITA. I found XPCREATE in September, and it worked great first time. Then all those new patches came out in October and everything got messed up again.

(2) Since GreenMachine's update list is not current and/or is offline (at least, the last time I checked) I did a clean install and then went to Windows Update to see what I needed. I downloaded everything manually and put them in what I imagined to be the correct folders (SVC-???). Then I ran XPCREATE and let it do its stuff (DLAUTO=NO). Then I did a fresh install with the ISO that XPCREATE made. Then I went to Windows Update again and found a bunch of new things that were missing. I repeated this cycle until I had a list of updates that leaves me missing two. I don't know how to resolve these two, and I'm hoping for a little help here.

The following list of updates will (to the best of my knowledge) patch a Windows2000 Server system with the exception of two critical updates: KB873374 KB841356. (Also note, I do not update DirectX and I do not add Journal Viewer.)

KB873374 is the GDI+ detection tool. Although this shows up as a critical update, and is potentially a serious problem, it does not seem to be a "patch" as such.

KB841356 seems (from reading this forum) to be giving others problems. I was going to wait until MS recognizes that there's a problem with this and patches their patch.

With the exception of those two, the following list gives me a patched system. All of this was done independently of (but compared against) bilou_gateaux's very useful list earlier in this thread.

For ease of reading, I've only listed the KB numbers. I have (rather inconsistently) changed the names as suggested elsewhere in the forum (ie, 8.3 names except for Type 1 hotfixes).

I'll explain the asterisks and the numbers in parenteses after.

SVC-DAH: Q832483 *
SVC-HF1: KB873388 (22)
Q818043 *
KB329115 (5)
KB820888 *
KB822831 *
KB823182 *
KB823559 *
KB824105 (6)
KB825119 (7)
KB826232 (8)
KB828035 (9)
KB828741 (10)
KB828749 (11)
KB835732 (12)
KB837001 (13)
KB839643 (14)
KB839645 (15)
KB840315 (16)
KB840987 (17)
KB841533 (18)
KB841872 (19)
KB841873 (20)
KB842526 (21)
KB837272 (23)
KB828026 (24)
SVC-HF2: js56nene *
KB833989 (3)
KB867801 *
KB870669 (2)
rootsupd *
SVC-MSX KB867460 (1)
SVC-POS KB823353 (4)
SVC-PRE IE6SP1 **
IESTART **
SVC-QCH Q815062 **
SVC-WMP MPSetup **
SVC-X2M DOTNETF **

After the install completes, I look in Add/Remove programs. The numbers in parentheses show which item in the Add/Remove programs list the hotfix is. An asterisk indicates that the hotfix did not appear in the Add/Remove programs list. Two asterisks indicate that although the item did not appear in the Add/Remove programs list, I could by other means (like running the program) verify that the item had installed.

?? How can I tell if the asterisked hotfixes have been applied or not? The fact that a hotfix doesn't show up on the Add/Remove list doesn't necessarily mean that it wasn't applied. It might have been superseded. It might be a hotfix that can't be removed. Or ... maybe it wasn't applied successfully.

?? In fact, how can I tell if any hotfix has definitively been applied? I mean, isn't it possible that a registry entry (for instance) has been changed to indicate the presence of a hotfix when in fact the hotfix hasn't been applied?

?? Another question, and I apologize if I've missed this while reading through hundreds of posts at MSFN -- can someone spell out the differences between a Type 1, Type 2 and the various other types of hotfixes? A link to the relevant thread would be enough.

OK, finally, a few problems I had.

First off, I had inconsistent results at first. It was my fault, but since others may have similar problems I'm going to mention it as something to watch out for. There were a number of different reasons for my inconsistent results.

One problem was lack of patience. Sometimes the process would seem to hang. I noticed (and later read in the forum) that pressing "y" or the space bar would answer some hidden question and get the process going. Maybe in my impatience, I hit too many "y"'s and something got skipped over. Anyhow, I've learned to be more patient, hit a "y" only once and wait a while and to check for minimized command prompt windows.

Another problem was a "dirty workspace". This means doing XPCREATE in a folder where I had done XPCREATE before. I don't know why this would make a difference, and maybe it's just my imagination -- but I've become superstitious. Now I start with a newly created folder. Then I run XPCREATE once to create all of the working folders. Then I copy my Win2K-S (SP1 slipstreamed) CD to the CD source. I put SP4 in SPACKS (or, I use a slipstreamed Win2K-SP4 as my CDSOURCE). Then I put the XPCTBOOT.BIN in the BOOT folder. All of this is my "Master" folder. I only work on copies of that. I fact, I only work on copies of copies of that. I'll make a copy and call it XPCREATE##, and then I load it up with all of the hotfixes that I think are appropriate. Then I copy that whole bunch of stuff to a new folder called TEST##. Then I run XPCREATE on TEST##. I use these two folders, XPCREATE## and TEST## because I don't know what changes XPCREATE might make to the original, and this way I can try to track what's happening. Then I do a clean install from the newly created ISO and check the results. For the next iteration, I go back to the "Master" folder, make a new copy (incrementing the number ie XPCREATE02), try the hotfixes a different way, make another copy (ie TEST02) and on and on.

Another problem may have been having too many (or interfering) hotfixes. At some point, I was using all of the hotfixes for September together with all of the new hotfixes. Maybe there were some conflicts, I don't know. Maybe it was just this KB841356 that seems to be causing problems.

OK. Sorry this was so long. I hope all of the details could be useful to someone.

• 1/ KB873374 GDI+ Detection Tool : don't bother about that. It's not a hotfix but a tool that open predefined web page to check your system for possibly programs needing updates. Value set to 1 in registry to avoid WindowsUpdate claiming not installed/run.
  
  CODE
  REG ADD "HKLM\SOFTWARE\Microsoft\GdiDetectionTool" /v "GDITool" /t REG_DWORD /d "00000001"
• 2/ I have already build a Windows 2000 Server SP4 + IE 5.5 SP2 with XPCreate.
  I have set DLAUTO=NO in XPCREATE.INI and build my own IE55SP2 package. It's the same method from building IE6SP1 package except i use an older IE5OEM.EXE instead of IE5SETUP.EXE to avoid a popup windows claiming the installer is not digitallly signed. If you want more infos, let me know i can give you more details.
  M$ don't release anymore HotFixes for IE55SP2 for Windows 2000 but you can still use IE55SP2 for WinMe HotFixes with some modifications.
• 3/ My video card do not need/support latest DirectX and i replace it with DX81NTOP.EXE + 839643 DirectX HotFix in my running box.
• 4/ to check HotFixes installation, you can use Shavlik HFNetChk.exe

Thanks for the reply bilou_gateux.

1. (about the GDI+ detection tool.) OK. That's what I thought. Still, there will need to be a better tool for this, because so many apps keep a copy of the vulnerable dll in their working dir. Anyhow, WRT XPCREATE, all is good.

2. (about IE5.5SP2) Ok. Good. That's what I was thinking I would have to do. I have most of the appropriate service packs and hotfixes around here somewhere. I never intended to use IE6, it just happened because that's what was on GreenMachine's list. I almost never use IE anyway -- only for checking page rendering and such.

3. (about DirectX) Ok. Good. I'll probably do the same.

4. (About HFNetChk by Shavlik) I used to use that, but I stopped. I forget what it was that I didn't like. Maybe they required ActiveX or something like that. OK, I'll try it again while I'm working on the hotfixes. Any idea what it checks (exactly)? I mean, does it check versions and MD5s of the dll's, vxd'x and ocx's (for instance) ... or does it just look for some flag or regkey that says that the hotfix has been applied?

Gee, I just checked the HFNetChk site. Maybe I'm thinking of something else, but the program I remember was much bigger (like 20MB). Is this going to give me anything that Windows Update won't? Would I be better off using the Baseline Security Analyzer?

Gee, weirder. On a clean install the program says that it detects a previously installed version. I wonder what's up with that.

Hmm... It gets worse. The good news is that I have answered one of my questions. It looks like Windows Update makes a very simplistic check of installed hotfixes and patches. Windows Update still shows the same two critical updates. Also HFNetChk does look at version numbers and checksums. That's good. They use a file that they get from Microsoft. That's good. Tht file was last updated October 20th. That's not so good. The worse part is that HFNetChk indicats that several patches on my system have not been installed -- patches which Windows Update thinks are installed, and which were integrated with XPCREATE. Some of them are due to wrong version numbers. I can understand that, considering that their list is a little old. The disturbing part is that a few files have the right version number, but the wrong checksum. Most disturbing in this category is kernel32.dll. Yikes!! Running HFNetChk -vv (Very Verbose) shows that this could be very bad. I would expect that if a dll changed (thus changing the checksum) that the version number would change too. Does anyone know if it every happens that they change a dll and they don't change the version number?

You tip to check out HFNetChk was good. BTW, HFNetChk -b (baseline) seemed good.

Your post (with all of the download links and MD5s) was really good. It will save some people a lot of time. (Unfortunately, I had already downloaded everything manually before you posted.) Anyway, I have found your contributions to be very valuable. Thanks.

Any idea about KB841356 ?

I'm still working on the W2K Server hotfixes.

Following bilou_gateux's advice, I've been using HFNetChk.
I use XPCREATE to make an updated, patched W2K CD.
(The hotfixes I use are listed a few posts back.)
I run WUpdate. WUpdate shows I'm missing 2 critical updates.
No surprise there.
Then I run HFNetChk and it surprises me.
It tells me that the folloing patches were not applied:
Q329115 (Hey wait. I thought I installed this!)
Q833330 (Blaster clean. I didn't install this. No surprise)
Q840987 (I thought this was installed too!)
Q841356 (This was intentionally omitted.)
Q834707 (I didn't install this. I think it was superseded by 873377)
Q329414 (Hmm. How come WUpdate didn't flag this?)

Warnings:
Q823353 (I thought I applied this!)
Q828026 (This too.)

Next, I tried to install a few of these manually.
Q329115 Still shows up as not installed.
Q840987 This one gets fixed when applied manually.
Q823353 This still gives a warning.
Q828026 Still gives a warning.

Q329115 and Q329414 complain of invalid checksums
The others are wrong versions.
Q841356 has a lower version than expected.
The others have *higher* versions than expected.
Maybe this is because the list that HFNetChk is using is outdated.

Is anyone else getting results like this?
Is anyone else checking their patches?

Thanks for reading.

I'm going to hold on this till the next version. Do know that I install WIN2K servers with all the latest updates, and get it all in fine. No reason it should not work for you. Just a little more patience ...

Thanks for the feedback GM. (And thanks for sharing your work!) Any idea when the new version will be out? Do you at least have a new patchlist for W2K Server?

When you say that you install W2K Servers with all the latest updates, do you mean with integrated hotfixes or updating after the install?

Do you use HFNetChk? If so, does it show no missing patches or warnings?

I'm thinking that the master list that HFNetChk checks against is out of date (since it looks for KB834707 instead of KB873377 ,which superseded it ... and also some version numbers that were reported as too high). I can't get HFNetChk to give a clean report. Maybe if I went back to a clean install and applied all the patches sequentially (ie, 834707 and then 873377), but that's a real PITA. Of the five or so patches that HFNetChk reports as not being installed, four of them still fail to show up after trying to manually apply them. This doesn't surprise me if their patchlist is out of date -- but the one patch that is included in my XPCREATE CD which still needs to be applied manually in order to be recognized by HFNetChk (KB840987) still puzzles me.

I'm able to get everything to look fine (according to WUpdate) by installing the last patch or two by hand. In my first couple of posts I was only concerned with getting these last patches integrated into my XPCREATE CD. Now that I've been checking with HFNetChk I'm getting confused again.

I'm all set up fpr testing, which I don't mind doing. The thing is that my system is old and slow. It takes over an hour to run XPCREATE. The bottleneck (for me) is in the DRIVERS.CAB compression. Just curious, does the compression routine for the CAB files allow switches so one can optimize for speed or size? If so, it might be an easy thing to add a line to the XPCREATE.INI file to allow people with slow machines to optimze compression for speed.

I've not used HFNetChk for a while: I use the Microsoft Baseline Security Analyzer. I was under the impression that they used the same XML file, but I do know that the latest MBSA is not compatible with the previous version. Perhaps HFNetChk still uses the previous version XML file, which may no longer be updated. Who knows ... But I still prefer MBSA.

The CAB compression can be a killer. I would suggest you set DPCABS=NO in XPCREATE.INI, while testing, and change it back for the final CD. Can saves tons of time ...

Ok. Thanks for the tip about DPCABS (what does that do?)

EDIT: Ok. I just ran MBSA and read around. Both programs are by Shavlik Technologies. Both use MSSecure.xml -- but the one that MBSA is using is from Oct. 21st and the one HFNetChk is using is from Oct. 20th. Maybe that accounts for the difference. I'm not sure. I have to read a little more to see exactly what MBSA checks (ie, checksums, version numbers or what). Anyhow, MBSA says I'm in good shape -- except for a few minor issues. </EDIT>

I don't know exactly the differencs between HFNetChk and MBSA. I've also used MBSA and been happy with it. It gave a lot of information over a wide range of areas. HFNetChk is a command-line tool and has a bunch of switches. The -b switch claims to check "status of hotfixes required to meet baseline security standards". Note that this only refers to hotfixes, and MBSA checks a lot of other areas as well (like accounts, permissions, services etc...).

HFNetChk uses an XML file called mssecure.cab. This file comes from MS, but Shavlik hosts a copy. The file that I'm using was last updated October 20th. HFNetChk checks version numbers and checksums of the files affected by the hotfix (mostly dlls).

I'd be curious to know what results you get if you run HFNetChk on a recently XPCREATEd CD of W2K Server. (It's a very small download and only takes a minute to run.) I'd also be curious to see the hotfix list that gave the results.

Thanks for the feedback. I'm going to run MBSA and see what it says. I'm also going to check MS's site for a more recent version of mssecure.cab

Must have been late last night ... that is DOCABS=NO, not DPCABS=NO.

I'll run HFNetChk next time I have a WIN2K Server going. I've used it before, but I found MBSA more "complete".

Here the result of my last (French) build including ALL except :

• 1/ recommended updates .NET Framework & Journal Viewer ;
• 2/ Using a repackaged 834707 instead of 873377 + registry edit data "Q834707" changed to "KB834707" in value "ComponentID";
• 3/ Q841356 added to svcpack.inf after XPCreation but not slipstreadmed to i386 according to GM Post: Oct 18 2004, 01:12 AM.
• 4/ registry edit to "kill" GDI+ Detection Tool

hey Bilou_Gateux

That's good feedback. Thanks. I've used two different MSSecure.XML files. I've used each with the free version of HFNetChk and MBSA with the /hf switch. I get different results every single time.

I need to set it aside for a while and look at it later with fresh eyes. For now, I'm "resting" by playing with slipstreaming SP2 into XP Pro. I'm also reading through the other forums here. A lot of material.

I'll post back when I get something sorted out.

Thanks again for the feedback.

I have not had a chance yet to test WIN2K, but, as always, Bilou_Gateux's advice is good advice!

Since wa are having the same problems with 2K, I ask:

anyone used this update instead of 814078 and 318089 on windows 2000 ?

It contains both updates, although jscript.dll is lower.

Replys appreciated.

I finally ran HFNetChk:
I know it reports errors, and I do not know where the invalid checksums come from, but I do believe everything is OK, especially as MBSA comes up clean.

@urgan: I have not tried that update, but as you can see, I have no JScript issues. I'll add it to my To Do list to look into it. THanks for pointing it out.

About 841356
with the current version of XPCreate, 841356 HotFix type 1 is not slipstreamed correctly.
before creating the iso and burning the CD, some minor modifications should be made:

• delete unused files and dir
• edit dosnet.inf and remove last two lines

last two lines in DOSNET.INF

Download change.exe Text Search and Replace Utility and save it to %PREPDIR%
Copy and paste content of file below to %PREPDIR%_841356.cmd and launch it:
_841356.txt

Remind me to hire that guy ...

Thanks, Bilou!

@bilou

Please clarify, are you still applying the js56nen update ?
According to Microsoft Security Bulletin MS03-008, this update is already on SP4, that why it never get's applied.
Do you know if using 839645 with 873377 causes the folder tree in explorer to stop working (I think I must regsvr32 some dll to fix this) ?

MS03-008: Flaw in Windows Script Engine may allow code to run (814078)


probably because the M$ Security Bulletin has not been updated to add Windows 2000 SP4.

@Bilou

Some
1 - I don't apply 814078 anymore and I get no indication of hfnetchk that is needed.
I think (i'm not at my PC) the latest IE update installs a newer jscript.dll, and i'm still convinced the fact it appeared on windows update was a bug.

2 - Since you provided a fix for the 841356, I don't see the point in still applying the 839645, since MS04-037 replaces MS04-024 on all windows versions.

3 - I use 832353 instead of 828026, which is supposed to replace it, because we had some issues with it.

@GreenMachine, RayM, anyone:

I've it's possible to install IE6SP2 on XPSP1.
Have any of you tried it ?
Do you think it's possible to do it for 2000 ?

Last Review: April 30, 2004
Revision: 1.0

Microsoft Windows Media Player (all versions) for Microsoft Windows 2000

• FIX: Some URL script commands do not work after you apply the Windows Media update from Knowledge Base article 828026
  WindowsMedia-KB832353-ENU.EXE
  WindowsMedia-KB832353-DEU.EXE
  WindowsMedia-KB832353-FRA.EXE

Add the new hotfix in SVC-HF1, silent switch: /Q /U /O /N /Z

Thanks urgan for your tests & comments.

• 1/ can you give me the name of the last IE update that updates 814078 jscript.dll. Do you mean scripten.exe ?
• 2/ i will try to build a new 2KCreate without 839645. Both sp3res.dll version 5.0.2195.6928 and shell32.dll version 5.0.3900.6922 are newer in 841356 sp3res.dll version 5.0.2195.6970 and shell32.dll version 5.0.3900.6975
• 3/ i will try to build a new 2KCreate replacing 828026 by 832353 newer versions of msdxm.ocx old version 6.4.9.1128 new 6.4.9.1129, wmp.dll old version 9.0.0.3075 new 9.0.0.3093, wmpcore7.dll old version 7.10.0.3075 new 7.10.0.3076, wmpcore8.dll old version 8.0.0.4491 new 8.0.0.4492

@Bilou

Sorry for the long answer.

Regarding 814078 I'm guessing here:

in IE6 SP1 (scripten.cab) the jscript.dll is 5.6.0.6626 with 589.874 bytes
in KB814078 the jscript.dll is 5.6.0.8513 with 589.881 bytes

On MS03-008, on "Additional information about this patch" says:
"The fix for this issue will be included in Windows 2000 Service Pack 4 and Windows XP Service Pack 2.", even if
it doesn't appear on SP4 fixes list.

But, in the "Windows Script 5.6 for Windows 2000 and XP", available here:

http://www.microsoft.com/downloads/details...&displaylang=en

from September 2004, (a year later), with a package version 5.6.0.8825, jscript.dll is also 5.6.0.6626, like IE.

Searching Microsoft Security Bulletins, for IE6 SP1,IE6 gold, 2000 SP4 or even Windows Script 5.1 doesn't bring this update.
I know hfnetchk did mention it on vanilla 2000SP4 workstations, that's why I've used to include it in our "apply all critical updates" batch files,
but since it brought us nothing but problems (hotmail, windowsupdate - sometimes having to reapply) i'm dropping it.

On the other updates, I'm also checking what works for me, with a difference: since I like to have this "vaccine" batches, I don't really want to mess with the i386 source, just have a "plug-it" svcpack that can be adapted to be applied on live systems too.
I'll keep you informed if I find out anything useful, but you are the one doing a great job.

On the other hand, most articles I found say the version installed by IE6 is the one vulnerable, and there was even a discussion
here
about jscript.dll.

Also found out

- an exploit here saying that 5.6.0.8513 is also vulnerable (another one ,since it's posterior to MS03-008?)

- a post in microsoft.public.scripting.jscript
here saying 5..6.8515 is the last build

- and a clean 2000 sliptreamed with SP4 has 5.1.0.8513

So I guess if using IE6 one should apply the update anyway, since it changes it to a vulnerable version (unless it was patched by MS).

Date Published: September 18, 2004
Version: 5.6.0.8825

Windows Script 5.6 for Windows 2000 and XP
(1) Can be used instead of 814078 Critical update
download details
This download installs Microsoft® Windows® Script containing Visual Basic® Script Edition (VBScript.) Version 5.6, JScript® Version 5.6, Windows Script Components, Windows Script Host 5.6, and Windows Script Runtime Version 5.6.
scripten.exe
scriptde.exe
scriptfr.exe

@urgan
After extraction, i have found the jscript.dll and vbscript.dll are both version 5.6.0.8825 (same as scriptxx.exe package version).
Currently, the 814078 hotfix install jscript.dll version 5.6.0.8513
I'm going to replace 814078 hotfix with this package which is newer.

In your installation, scripten.exe is not applied correctly i believe or the WFP has restored the IE6SP1 jscript.dll version 5.6.0.6626.
Try to extract scripten.exe to temp folder, right click jscript.dll to verify the version.

path\scripten.exe /c /t:path\tmp\scriptfr