The security update for Windows XP states that:
A security issue has been identified that could allow an authenticated local attacker to compromise your system and gain access to information. You can help protect your system by installing this update from Microsoft. After you install the update, you may have to restart your system.
The file versions of the files listed below will be updated to version 5.1.2600.6284 in Windows XP SP3:
File Name Size Date Time Branch ntkrnlmp.exe 2,148,864 2012-08-21 13:33 SP3GDR ntkrnlpa.exe 2,069,632 2012-08-22 01:28 SP3GDR ntkrpamp.exe 2,027,520 2012-08-21 12:58 SP3GDR ntoskrnl.exe 2,192,896 2012-08-21 13:29 SP3GDR ntkrnlmp.exe 2,148,864 2012-08-21 13:52 SP3QFE ntkrnlpa.exe 2,069,632 2012-08-21 13:05 SP3QFE ntkrpamp.exe 2,027,520 2012-08-21 13:05 SP3QFE ntoskrnl.exe 2,193,024 2012-08-21 13:48 SP3QFE
Prior to installing the update, I have found older versions of the following Windows XP SP3 files in version 5.1.2600.6223:
File Name Size Date Time Branch ntkrnlmp.exe 2,148,352 2012-05-04 06:16 SP3QFE ntkrnlpa.exe 2,069,120 2012-05-04 05:32 SP3QFE ntkrpamp.exe 2,026,496 2012-05-04 05:32 SP3QfE ntoskrnl.exe 2,192,640 2012-05-04 06:12 N/A
ntkrnlmp.exe and ntkrpamp can be found in \WINDOWS\Driver Cache\i386 while ntkrnlpa.exe and ntoskrnl.exe can both be found in \WINDOWS\SYSTEM directory.
If you look in this controversal thread and search for the threads mentioning KB2724197, there has been numerous complaints regarding KB2721497 and how such an update dropped EMS support apparently as a part of a phase-out of support for 16-bit DOS and Windows apps in 32-bit versions of Windows XP through Windows 8. And as a part of the phase out of support for Windows XP, it is turning out that the moderators in the Microsoft forums haven't been too unhelpful.
By the way, for anyone who still wants to use EMS for use in 16-bit DOS-based apps in Windows XP, the files are placed in a hidden directory called \WINDOWS\$NtUninstallKB2724197$.
I'm just wondering this...it is possible to replace the current versions of ntkrnlmp.exe, ntkrnlpa.exe, ntkrpamp.exe and ntoskrnl.exe with older versions found in \WINDOWS\$NtUninstallKB2724197$ by hand rather than uninstalling the update? I have backed up the files to the \EMS directory incase I want to do this.
Also, if I don't want the 16-bit subsystem in Windows XP anymore, is it possible to remove the NTVDM 16-bit subsystem?
I have installed the update in a Windows XP SP3 VMware Player VM, by the way.
Edited by ppgrainbow, 21 November 2012 - 01:12 AM.