Note: when the installation is started from
(bootable) USB
storage media, SD card
etc., update packages can of course be installed during
Windows Setup too.
Caveat: due to both a
bug and a limitation
the convenience
rollup update package
3125574
can’t be installed during Windows Setup!
Even Especially on fresh installations of
Windows 7 and Windows Server 2008 R2,
Windows Update
suffers since more than two years from search times of many hours to
even days, accompanied by high
CPU usage.
To fix this problem, Microsoft published several update packages for the Windows Update Client, most notably 3102810, plus 3050265, 3065987, 3075851, 3083324, 3083710, 3112343, 3135445, 3138612 and 3161647, but none of them eliminates it yet.
The only fix which is known to work permanently is to install the latest cumulative update package for Internet Explorer 8 and the latest update package for the Windows Update Client before its first contact with the update servers.
On fresh installations of Windows 7 for 32-bit
processor architecture,
Windows Update
fails completely: due to the limited
virtual address space of
only
2 GB per
process the Windows Update Client terminates with
HRESULT
0x8007000E alias
E_OUTOFMEMORY
(derived from Win32 error code 14 alias
ERROR_OUTOFMEMORY
)
while searching for updates!
Note: the Windows Update Client updates itself during its first contact with the update servers, before it searches for updates, but installs the completely outdated version listed in the bit-rotten MSKB article 949104!
The overall number of (security) update packages to install on fresh installations of Windows 7 and Windows Server 2008 R2 has risen to well over 200.
Installation of update packages before or during Windows Setup avoids to have them downloaded and installed individually via Windows Update on every fresh installation after its completion; instead you download them only once, saving both time and bandwidth, install them faster, since the target system is offline, and without the need to reboot multiple times.
An original
Windows 7 SP1
installation disc.
Note: you may be eligible to
download a disc image
if you don’t have one.
An (empty) USB storage media or SD card with at least 3 GB capacity.
Your choice when to install update packages:
do you want to install update packages
during,
before
or
after
Windows Setup?
Click the appropriate button to show the instructions.
applied imagecreated by Windows Setup.
Download at least the last cumulative (security) update package for
Internet Explorer 8,
3124903
3124275
alias
MS16-001,
4018271,
and the latest (security) update package for the
Windows Update Client, currently
(February 28, 2017)
3161647;
the latter is available only as part of the July 2016
(optional) update rollup package
3172605.
Note: be sure to download the update packages that match the processor architecture (32-bit: x86 alias I386; 64-bit: x64 alias AMD64) of your installation disc (or media)!
Optionally download other update packages of your choice, for
example
917607,
958559,
969168
974674
2670838,
2685811,
2685813,
2729094,
2834140,
2836502,
2952664,
2999226,
3150513,
3177467,
3179573,
3185278,
3185330,
3197868,
3203884
and
3207752,
and process them in the following steps like
3124275
4018271
and
3172605
too.
Note: don’t forget to kick Microsoft for their bit-rotten MSKB article 949104!
Open the directory where you saved the downloaded update packages in
Windows Explorer.
This is typically your User Profiles’
Downloads
directory, %USERPROFILE%\Downloads\
.
In this directory you should see at least the files
Windows6.1-KB3124275-x86.msu
windows6.1-kb4018271-x86-custom_0aaca7d3a92b3030bca78a44281ce86ec7cd5dab.msu
and
Windows6.1-KB3172605-x86.msu
(for 32-bit processor architecture) or
Windows6.1-KB3124275-x64.msu
windows6.1-kb4018271-x64-custom_33a66978d36f16a33b042b2abea45cdddf90c17f.msu
and
Windows6.1-KB3172605-x64.msu
(for 64-bit processor architecture).
Change the extension of the files Windows6.1-KB*-x??.msu
you downloaded in step 1. from
.msu
to
.cab
.
Open the renamed files (which are compressed archives)
Windows6.1-KB*-x??.cab
per double-click in
Windows Explorer.
In each opened window you should see the four files
Windows6.1-KB*-x??.cab
,
Windows6.1-KB*-x??.xml
,
Windows6.1-KB*-x??-pkgProperties.txt
and
WSUSSCAN.cab
.
Plug an (preferable empty) USB storage media or an (preferable empty) SD card into your computer.
From each compressed archive you opened in step 4., copy the
files Windows6.1-KB*-x??.cab
and
Windows6.1-KB*-x??.xml
(per
drag & drop) to the root directory of
the drive attached in step 5., then close the archives’
window.
If you want to keep the files downloaded in step 1., undo the
changes made in step 3., i.e. restore the original extension
.msu
on all files you renamed, else delete these files.
Open the root directory of the drive you attached in step 5. in Windows Explorer.
In this directory you should see at least the four files
Windows6.1-KB3124275-x??.cab
and
Windows6.1-KB3124275-x??.xml
Windows6.1-KB4018271-x??-custom.cab
and
Windows6.1-KB4018271-x??-custom.xml
plus
Windows6.1-KB3172605-x??.cab
and
Windows6.1-KB3172605-x??.xml
.
Change the extension of the files
Windows6.1-KB*-x??.xml
you extracted in step 6.
from .xml
to .txt
.
In the right pane of the root directory window open the
context menu per right-click and select New
,
then choose Text document
and change the filename from
New text document
to AutoUnattend
, keeping
the extension .txt
.
Open the empty file AutoUnattend.txt
per double-click
in Editor.
Open each (not yet empty) file Windows6.1-KB*-x??.txt
you renamed in step 9. per double-click in
Editor, select all its contents by
pressing the
Ctrl A
keys,
cut the selection by pressing the
Ctrl X keys,
close the file and save the changes (thereby writing the empty file
back), then insert the cut-out contents at the bottom of the
AutoUnattend.txt
file by pressing the
Ctrl V keys.
In the (still open) AutoUnattend.txt
file delete each
block of the six consecutive lines
</servicing>
</unattend>
<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<servicing>
then close the file and save the changes.
Change the extension of the AutoUnattend.txt
file
from .txt
to .xml
.
Delete the (now empty) files Windows6.1-KB*-x??.txt
you renamed in step 9. and rewrote in step 12.
Use Safely Remove Hardware
from the
notification area
notification area
alias system tray of the taskbar to
eject
the prepared
USB storage media or
SD card, then unplug it
from your computer.
AutoUnattend.xml
answer fileand applies it during installation.
Note:
‹target drive›:\$WINDOWS.~BT\Sources\DISM.exe
,
the program run by Windows Setup to perform this task,
writes the
log file
‹target drive›:\$WINDOWS.~BT\Sources\Panther\CBS.log
,
which is stored as %SystemRoot%\Panther\CBS.log
in the
installed system for later examination.
Caveat: for Windows Vista, the
MSKB
article
939289
documents a bug with the procedure presented here, and its
resolution.
If you encounter this bug with Windows 7 SP1 too,
perform the alternative (automatic or manual) installation below, or
insert the following lines before the last line of the
AutoUnattend.xml
answer file
:
<settings pass="windowsPE">
<component
language="neutral"
name="Microsoft-Windows-Setup"
processorArchitecture="*"
publicKeyToken="31bf3856ad364e35"
versionScope="nonSxS">
<userData>
<acceptEula>true</acceptEula>
</userData>
</component>
</settings>
AutoUnattend.xml
answer filecreated above:
Setup.exe /Unattend:"[‹path›\]AutoUnattend.xml"
Setup.exe /NoRebootAfter completion run
DISM.exe /Image:"‹target drive›:" /LogPath:"‹target drive›:\Windows\Logs\DISM\DISM.log" /ScratchDir:"‹target drive›:\Windows\Temp" /Apply-Unattend:"[‹path›\]AutoUnattend.xml"to use the
AutoUnattend.xml
answer filecreated above, or run
DISM.exe /Image:"‹target drive›:" /LogPath:"‹target drive›:\Windows\Logs\DISM\DISM.log" /ScratchDir:"‹target drive›:\Windows\Temp" /Add-Package /PackagePath:"[‹path›\]Windows6.1-KB…-x….cab" […]to install one or more update packages without
answer file.
mounted imageof the installation discs’
\sources\install.wim
.
Download the following update packages:
conveniencerollup update package;
conveniencerollup update package;
July 2016(optional) update rollup package, containing the latest (security) update package for the Windows Update Client;
August 2016(optional) update rollup package.
Note: be sure to download the update packages that match the processor architecture (32-bit: x86 alias I386; 64-bit: x64 alias AMD64) and the language of your installation disc!
A batch script BITS_ALL.CMD
which downloads these
update packages using
BITS
is available on request.
Caveat: due to a bug the newer update package
3177467
which replaces
3020369
is not suitable as prerequisite for
offline
installation of the convenience
rollup update package!
Open the directory where you saved the downloaded update packages in
Windows Explorer.
This is typically your User Profiles’
Downloads
directory, %USERPROFILE%\Downloads\
.
For slipstreaming a german 32-bit edition of Windows 7 SP1 you should see the following files there:
IE-Hyphenation-de.msu
IE-Spelling-de.msu
IE11-Windows6.1-KB2841134-x86.cab
kmdf-1.11-Win-6.1-x86.msu
Umdf-1.11-Win-6.1-x86.msu
Windows6.1-KB2670838-x86.msu
Windows6.1-KB2729094-v2-x86.msu
Windows6.1-KB2834140-v2-x86.msu
Windows6.1-KB2836502-x86.msu
Windows6.1-KB2841134-x86.cab
Windows6.1-KB3020369-x86.msu
Windows6.1-KB3124275-x86.msu
windows6.1-kb4018271-x86-custom_0aaca7d3a92b3030bca78a44281ce86ec7cd5dab.msu
windows6.1-kb3125574-v4-x86_ba1ff5537312561795cc04db0b02fbb0a74b2cbd.msu
Windows6.1-KB3172605-x86.msu
Windows6.1-KB3179573-x86.msu
For slipstreaming a german 64-bit edition of Windows 7 SP1 you should see the following files there:
IE-Hyphenation-de.msu
IE-Spelling-de.msu
IE11-Windows6.1-KB2841134-x64.cab
kmdf-1.11-Win-6.1-x64.msu
Umdf-1.11-Win-6.1-x64.msu
Windows6.1-KB2670838-x64.msu
Windows6.1-KB2729094-v2-x64.msu
Windows6.1-KB2834140-v2-x64.msu
Windows6.1-KB2836502-x64.msu
Windows6.1-KB2841134-x64.cab
Windows6.1-KB3020369-x64.msu
Windows6.1-KB3124275-x64.msu
windows6.1-kb4018271-x64-custom_33a66978d36f16a33b042b2abea45cdddf90c17f.msu
windows6.1-kb3125574-v4-x64_2dafb1d203c8964239af3048b5dd4b1264cd93b9.msu
Windows6.1-KB3172605-x64.msu
Windows6.1-KB3179573-x64.msu
Note: the update packages
IE11-Windows6.1-KB2841134-x??.cab
and
Windows6.1-KB*-??.msu
are language-neutral!
Note: there is no english (en-US
)
language pack Windows6.1-KB2841134-x??.cab
for
Internet Explorer 11!
Note: the hyphenation and spelling pack files
IE-Hyphenation-??.msu
and
IE-Spelling-??.msu
for
Internet Explorer 11 are
architecture-independent!
Note: adaption of the filenames and download links for other languages and locales is left as (trivial) exercise to the reader.
Note: the 40-character suffix (like
ba1ff5537312561795cc04db0b02fbb0a74b2cbd
and
2dafb1d203c8964239af3048b5dd4b1264cd93b9
shown above)
in the name of files available from the
Microsoft Download Catalog
is the SHA-1 hash
of the files’ content.
Rename the (german) language pack file
Windows6.1-KB2841134-x??.cab
to
Windows6.1-KB2841134-x??-de-DE.cab
first, then rename
IE11-Windows6.1-KB2841134-x??.cab
to
Windows6.1-KB2841134-x??.cab
.
Note: renaming of other locales’ language pack
files Windows6.1-KB2841134-x??.cab
to
Windows6.1-KB2841134-x??-??-??.cab
is left as (trivial)
exercise to the reader.
Create an empty directory and move the renamed files
Windows6.1-KB2841134-x*.cab
into it.
Change the extension of the files you downloaded in step 1.
from
.msu
to
.cab
.
Open the renamed files (which are compressed archives) per double-click in Windows Explorer.
In each opened window you should see the four files
Windows6.?-KB*-x??.cab
,
Windows6.?-KB*-x??.xml
,
Windows6.?-KB*-x??-pkgProperties.txt
and
WSUSSCAN.cab
.
From each compressed archive you opened in step 6., copy the
file Windows6.?-KB*-x??.cab
(per
drag & drop) to the directory you
created in step 4., then close the archives’ window.
If you want to keep the files downloaded in step 1., undo the
changes made in step 5., i.e. restore the original extension
.msu
on all files you renamed, else delete these files,
then close the window you opened in step 2.
Open the directory you created in step 4. in Windows Explorer.
For slipstreaming a german 32-bit edition of Windows 7 SP1 you should see the following files there:
Windows6.1-KB2670838-x86.cab
Windows6.1-KB2685811-x86.cab
Windows6.1-KB2685813-x86.cab
Windows6.1-KB2729094-v2-x86.cab
Windows6.1-KB2834140-v2-x86.cab
Windows6.1-KB2836502-x86.cab
Windows6.1-KB2841134-x86.cab
Windows6.1-KB2841134-x86-de-DE.cab
Windows6.1-KB3020369-x86.cab
Windows6.1-KB3124275-x86.cab
Windows6.1-KB4018271-x86-custom.cab
Windows6.1-KB3125574-v4-x86.cab
Windows6.1-KB3172605-x86.cab
Windows6.1-KB3179573-x86.cab
Windows6.3-KB2849696-x86.cab
Windows6.3-KB2849697-x86.cab
Note: the hyphenation and spelling pack files
Windows6.3-KB2849696-x86.cab
and
Windows6.3-KB2849697-x86.cab
for
Internet Explorer 11 are
architecture-independent!
Rename the (german) spelling pack file
Windows6.3-KB2849696-x86.cab
to
Windows6.3-KB2849696-de.cab
, and the (german)
hyphenation pack file Windows6.3-KB2849697-x86.cab
to Windows6.3-KB2849697-de.cab
.
Note: renaming of other languages’ spelling
and hyphenation pack files
Windows6.3-KB2849696-x86.cab
and
Windows6.3-KB2849697-x86.cab
to
Windows6.3-KB2849696-??.cab
and
Windows6.3-KB2849697-??.cab
respectively is left as
(trivial) exercise to the reader.
Copy the file \sources\install.wim
from your
Windows 7 SP1
installation DVD
into the directory opened in step 9.
Note: you can merge the
\sources\install.wim
from a 32-bit and a 64-bit
installation disc into one install.wim
to create a
single installation media for both processor architectures: 32-bit
Windows PE
supports the installation of 64-bit images too; see the
TechNet
articles
Cross-Platform Deployment
,
Windows Setup Cross-Platform Deployment
,
Create a Windows Image for Multiple Architecture Types
and
Create a Windows Image for Multiple Architecture Types
for details!
Start an elevated (i.e. administrative) Command Processor in the directory opened in step 9. and run the following seven command lines for every Windows 7 edition you need or want to update:
MKDIR "%SystemDrive%\WIM" "%SystemRoot%\System32\DISM.exe" /Mount-Wim /MountDir:"%SystemDrive%\WIM" /WimFile:"%CD%\install.wim" /Index:‹index› "%SystemRoot%\System32\DISM.exe" /Image:"%SystemDrive%\WIM" /Add-Package /PackagePath:"%CD%\Windows6.1-KB3020369-x86.cab" "%SystemRoot%\System32\DISM.exe" /Image:"%SystemDrive%\WIM" /Add-Package /PackagePath:"%CD%\Windows6.1-KB2670838-x86.cab" /PackagePath:"%CD%\Windows6.1-KB2685811-x86.cab" /PackagePath:"%CD%\Windows6.1-KB2685813-x86.cab" /PackagePath:"%CD%\Windows6.1-KB2729094-v2-x86.cab"Note: replace ‹index› with the index of the Windows 7 edition of your installation disc!/PackagePath:"%CD%\Windows6.1-KB3124275-x86.cab"/PackagePath:"%CD%\Windows6.1-KB4018271-x86-custom.cab" /PackagePath:"%CD%\Windows6.1-KB3172605-x86.cab" /PackagePath:"%CD%\Windows6.1-KB3179573-x86.cab" /PackagePath:"%CD%\Windows6.1-KB3125574-v4-x86.cab" "%SystemRoot%\System32\DISM.exe" /Image:"%SystemDrive%\WIM" /Add-Package /PackagePath:"%CD%\Windows6.1-KB2841134-x86.cab" /PackagePath:"%CD%\Windows6.1-KB2841134-x86-de-DE.cab" /PackagePath:"%CD%\Windows6.3-KB2849696-de.cab" /PackagePath:"%CD%\Windows6.3-KB2849697-de.cab" "%SystemRoot%\System32\DISM.exe" /Unmount-Wim /MountDir:"%SystemDrive%\WIM" /Commit RMDIR "%SystemDrive%\WIM"
Edition | Index | |
32-bit | 64-bit | |
Starter | 1 | – |
Home Basic | 2 | 1 |
Home Premium | 3 | 2 |
Professional | 4 | 3 |
Ultimate | 5 | 4 |
Note: for 64-bit images change every occurrence of
-x86
to -x64
.
Caveat: if one of the three command lines DISM.exe … /Add-Package … happens to fail run the following two command lines to discard all changes, unmount the image and remove the directory, then stop:
"%SystemRoot%\System32\DISM.exe" /Unmount-Wim /MountDir:"%SystemDrive%\WIM" /Discard RMDIR "%SystemDrive%\WIM"Note: addition of more or other locales’ language pack files
Windows6.1-KB2841134-x86-??-??.cab
and more or other languages’ spelling and hyphenation pack
files Windows6.3-KB2849696-??.cab
and
Windows6.3-KB2849697-??.cab
for
Internet Explorer 11 is left as
(trivial) exercise to the reader.
Plug an (preferable empty) USB storage media or an (preferable empty) SD card into your computer.
Run the following command line in the (still open) elevated Command Processor:
"%SystemRoot%\System32\DiskPart.exe"
At the DISKPART> prompt enter the following
statements to determine the disk number of the
USB storage media or
SD card first, then
clobber it, partition it, make it bootable, assign a drive letter
and exit the
DiskPart.exe
DiskPart Command-Line Options
utility:
LIST DISK SELECT DISK ‹number› CLEAN CREATE PARTITION PRIMARY ACTIVE ASSIGN EXITNote: replace ‹number› with the appropriate disk number from the output of the LIST DISK statement.
Note the drive letter shown in the AutoPlay
dialog box, then
close it.
Run the following six command lines in the (still open) elevated
Command Processor to format the
USB storage media or
SD card, copy the contents
of the
Windows 7 SP1
installation DVD
except install.wim
to it, move the modified
install.wim
to it, and finally close the
Command Processor:
"%SystemRoot%\System32\Format.exe" ‹drive letter›: /FS:NTFS /Q /S:Disable ECHO install.wim 1>"%TMP%\exclude.tmp" "%SystemRoot%\System32\XCopy.exe" ‹optical drive›:\* ‹drive letter›: /E /EXCLUDE:"%TMP%\exclude.tmp" /Q ERASE "%TMP%\exclude.tmp" MOVE "%CD%\install.wim" ‹drive letter›:\sources EXITNote: replace ‹drive letter› with the drive letter shown in the
AutoPlaydialog box from step 15.
Use Safely Remove Hardware
from the
notification area
notification area
alias system tray of the taskbar to
eject
the prepared
USB storage media or
SD card, then unplug it
from your computer.
out of the box, so there are no instructions!
Setup.exe
and
DISM.exe
,
the programs behind Windows Setup, install all update
packages referenced in the <servicing>
section of
the AutoUnattend.xml
answer filein a single session: the update package 3020369, a prerequisite for the
conveniencerollup update package 3125574, but has to be installed in a separate session.
Caveat: due to a bug the newer update package
3177467
which replaces
3020369
is not suitable as prerequisite for
offline
installation of the convenience
rollup update package!
Note: offline installation of hotfix packages which update
files residing on the
UEFI
system partition must be performed via
Setup.exe
; they
fail when performed via
DISM.exe
, as
documented in the
MSKB
article
2846298.
conveniencerollup update package 3125574 into an
applied image(like the one created by Windows Setup) residing on a disk volume alias partition using one of the equivalent command lines
"%SystemRoot%\System32\DISM.exe" /Image:"‹target drive›:" /Apply-Unattend:"[‹path›\]Windows6.1-KB3125574-v4-x86.xml" "%SystemRoot%\System32\DISM.exe" /Image:"‹target drive›:" /Add-Package /PackagePath:"[‹path›\]Windows6.1-KB3125574-v4-x86.cab"fails with Win32 error code 5 alias
ERROR_ACCESS_DENIED
(derived from
NTSTATUS
0xC0000121
alias STATUS_CANNOT_DELETE
)
returned from the attempt to create the hardlink
‹target drive›:\Windows\System32\MSI.dll
and
renders the applied imageunusable!
Online installation using one of the equivalent command lines
"%SystemRoot%\System32\DISM.exe" /Online /Apply-Unattend:"[‹path›\]Windows6.1-KB3125574-v4-x86.xml" "%SystemRoot%\System32\DISM.exe" /Online /Add-Package /PackagePath:"[‹path›\]Windows6.1-KB3125574-v4-x86.cab"but works as designed and documented.
Offline installation of the convenience
rollup update
package
3125574
into a
virtual hard disk image
using the same command line
"%SystemRoot%\System32\DISM.exe" /Image:"‹target drive›:" /Apply-Unattend:"[‹path›\]Windows6.1-KB3125574-v4-x86.xml" "%SystemRoot%\System32\DISM.exe" /Image:"‹target drive›:" /Add-Package /PackagePath:"[‹path›\]Windows6.1-KB3125574-v4-x86.cab"as well as its offline installation into a
mounted imageusing the command lines
"%SystemRoot%\System32\DISM.exe" /Mount-Wim /MountDir:"‹directory›" /WimFile:"[…\]Install.wim" /Index:‹index› "%SystemRoot%\System32\DISM.exe" /Image:"‹directory›" /Apply-Unattend:"[‹path›\]Windows6.1-KB3125574-v4-x86.xml" "%SystemRoot%\System32\DISM.exe" /Image:"‹directory›" /Add-Package /PackagePath:"[‹path›\]Windows6.1-KB3125574-v4-x86.cab" "%SystemRoot%\System32\DISM.exe" /Unmount-Wim /MountDir:"‹directory›" /Commitworks too.
Offline installation into a mounted image
or a
virtual hard disk image
but fails and renders the
mounted image
or the virtual hard disk image
unusable
if the convenience
rollup update package is installed
together with other update packages, for example
3161608
or
3172605,
but not as last update package of the session!
"%SystemRoot%\System32\DISM.exe" /Mount-Wim /MountDir:"‹directory›" /WimFile:"[…\]Install.wim" /Index:‹index› "%SystemRoot%\System32\DISM.exe" /Image:"‹directory›" /Add-Package /PackagePath:"[‹path›\]Windows6.1-KB3125574-v4-x86.cab" /PackagePath:"[‹path›\]Windows6.1-KB3172605-x86.cab"
SetupComplete.cmd
to apply
Registry
changes and run command line(s) automatically after
Windows Setup!
Rem Copyright © 2009-2025, Stefan Kanthak <stefan.kanthak@nexgo.de>
Rem This script runs invisible after the second reboot under the
Rem 'NT AUTHORITY\SYSTEM' alias 'LocalSystem' user account.
Rem CAUTION: no user interaction possible!
Rem Prevent accidental execution
If Not "%USERNAME%" == "SYSTEM" Exit /B
If /I Not "%USERPROFILE%" == "%SystemRoot%\System32\Config\SystemProfile" Exit /B
If /I Not "%~f0" == "%SystemRoot%\Setup\Scripts\SetupComplete.cmd" Exit /B
Call :REDIRECT %* 0<NUL: 1>"%SystemRoot%\Setup\Scripts\SetupComplete.out" 2>"%SystemRoot%\Setup\Scripts\SetupComplete.err"
Exit /B
:REDIRECT
Rem %CMDCMDLINE%
Rem %DATE% %TIME%
…
"%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\AdvPack.dll",LaunchINFSection "%SystemRoot%\Setup\Scripts\SetupComplete.inf",UnattendedInstall
…
Create the Registry entries
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:00000005
"IncludeRecommendedUpdates"=dword:00000000
"NoAutoRebootWithLoggedOnUsers"=dword:00000001
to disable automatic installation of update packages followed by an
automatic reboot while users are logged on, as documented in the
TechNet
article
Configure Automatic Updates in a Non–Active Directory Environment.
Additionally see the MSKB article 2725311.
On 32-bit editions, create the Registry entries
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WoW]
"DisallowedPolicyDefault"=dword:00000001
to disable the
NTVDM
subsystem for 16-bit applications, as documented in the
MSKB
article
979682
and the Security Bulletins
MS10-098
and
MS13-063.
Create the Registry entry
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\WinTrust\Config]
"EnableCertPaddingCheck"="1"
to enforce proper Authenticode Signature verification,
as documented in the
MSKB
article
2893294,
the Security Bulletin
MS13-098
and the Security Advisory
2915720.
Create the Registry entry
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots]
"Flags"=dword:00000003
to prevent the use of root certificatesinstalled in user context, as documented in the TechNet article CA Certificates Tools and Settings.
Create the Registry entries
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"CWDIllegalInDLLSearch"=dword:ffffffff
"SafeDLLSearchMode"=dword:00000001
"SafeProcessSearchMode"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
"NoDefaultCurrentDirectoryInExePath"="*"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel]
"DisableExceptionChainValidation"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"EnableLowVAAccess"=dword:00000000
"EnforceWriteProtection"=dword:00000001
"LargePageMinimum"=dword:ffffffff
"MoveImages"=dword:ffffffff
to remove the
CWD alias .
from the search path for
DLLs
and programs, as documented in the
MSKB
article
2264107
and the MSDN
article
NeedCurrentDirectoryForExePath()
respectively, to search
DLLs
and programs in the
CWD alias
.
after the system directories, as documented in the
MSKB
articles
SafeDllSearchMode,
905890,
917422
and
959426
as well as the
MSDN articles
Dynamic-Link Library Search Order,
Dynamic-Link Library Security,
SearchPath()
function and
SetSearchPathMode()
function, to enable
SEHOP,
as documented in the
MSKB
article
956607,
to disable mapping the
NULL
page, as documented in the security bulletins
MS15-010
and
MS15-061,
to enforce write-protected kernel pages, and to enforce
ASLR
for all relocatable executables.
Create respectively modify the Registry entries
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters]
"RequireSecuritySignature"=dword:00000001
"SMB1"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManWorkstation]
"AllowInsecureGuestAuth"=dword:00000000
;"DependOnService"=multi:"Bowser","MRxSmb20","NSI"
"DependOnService"=hex(7):42,6f,77,73,65,72,00,4d,52,78,53,4d,42,32,30,00,4e,53,49,00,00
"RequireSecuritySignature"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxSMB10]
"Start"=dword:00000004
to enforce SMB
signing incoming and outgoing, to disable insecure Guestlogins to SMBv2 servers as well as the deprecated and insecure SMBv1 protocol incoming and outgoing, as documented in the MSKB articles 161372, 4046019 and 2696547.
Unless you definitively need the deprecated 6to4, IP-HTTPS, ISATAP, and Teredo tunneling protocols, create the Registry entry
REGEDIT4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp6\Parameters]
"DisabledComponents"=dword:000000cf
to disable them, as documented in the
MSKB
article
929852
and the
TechNet
article
Internet Protocol Version 6, Teredo, and Related Technologies in Windows 7 and Windows Server 2008 R2.
Create respectively modify the Registry entries
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"SecureProtocols"=dword:00000a00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHTTP]
"DefaultSecureProtocols"=dword:00000a00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"SecureProtocols"=dword:00000a00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 40/128]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 56/128]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Ciphers\RC4 128/128]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
to disable the deprecated and insecure
SSL v2.0,
SSL v3.0 and
TLS v1.0
protocols, and to enable the
TLS v1.1
and
TLS v1.2
protocols, as documented in the
MSKB
articles
245030,
2868725,
3140245,
3151631,
3206898
and
4019276.
Create respectively modify the Registry entries
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaultTLSVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
to disable the deprecated and insecure
RC4 cipher and to enable
the
TLS v1.2
protocol for .NET Framework, as documented in the
MSKB
articles
2960358,
3154518,
3160699
and
3206898,
and the Security Advisory
2960358.
Unless you definitively need .NET Framework 4, .NET Framework 4 .NET Framework 4.5, .NET Framework 4.6, .NET Framework 4.7 or .NET Framework 4.8, create the Registry entries
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU]
"BlockNetFramework4"=dword:00000001
"BlockNetFramework45"=dword:00000001
"BlockNetFramework451"=dword:00000001
"BlockNetFramework452"=dword:00000001
"BlockNetFramework46"=dword:00000001
"BlockNetFramework461"=dword:00000001
"BlockNetFramework462"=dword:00000001
"BlockNetFramework47"=dword:00000001
"BlockNetFramework471"=dword:00000001
"BlockNetFramework472"=dword:00000001
"BlockNetFramework48"=dword:00000001
to block their automatic initial installation via
Windows Update, as documented in the
MSKB
articles
982320,
2721187,
2971109,
3133990,
4024204,
4052152,
4342394
and
4516563.
Note: any installed .NET Framework but receives (security) updates via Windows Update!
Unless you definitively want to use the Malicious Software Removal Tool, create the Registry entries
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
"DontOfferThroughWUAU"=dword:00000001
"DontReportInfectionInformation"=dword:00000001
to block its automatic monthly (re)installation via
Windows Update and disable its reporting feature, as
documented in the
MSKB
articles
890830,
and
891716.
Create the Registry entries
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000002
"ConsentPromptBehaviorUser"=dword:00000000
to disable UAC from
silent (automatic) elevation in the
protected administratoraccount created during Windows Setup, and to disable elevation in (unprivileged)
standarduser accounts, as documented in the TechNet article UAC Group Policy Settings and Registry Key Settings.
Create the Registry entry
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"SafeModeBlockNonAdmins"=dword:00000001
to prevent unprivileged users from logging on in
Safe Mode.
Run the command line
"%SystemRoot%\System32\Net.exe" USER Administrator /Active:Yes /PasswordReq:Yesto enable the builtin
Administrator
account, as
documented in the
TechNet
article
Enable and Disable the Built-in Administrator Account,
then run the command lines
"%SystemRoot%\System32\Net.exe" LOCALGROUP Administrators "‹account name›" /Delete "%SystemRoot%\System32\Net.exe" LOCALGROUP Users "‹account name›" /Addto demote the (privileged)
protected administratoraccount created during Windows Setup to a (unprivileged)
standarduser account. Net user Net localgroup
Caveat: don’t forget to set a (strong)
password for the builtin Administrator
account!
If you want to place (new) user profiles on a dedicated hard disk, run the command lines
"%SystemRoot%\System32\RoboCopy.exe" "%SystemDrive%\Users" "‹drive letter›:\Users" Desktop.Ini /COPYALL /NJH /NJS /NP /R:1 /W:1 "%SystemRoot%\System32\Reg.exe" ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" /V "ProfilesDirectory" /T REG_SZ /D "‹drive letter›:\Users" /Fto create the directory
Users
with proper attributes
and permissions, to copy the (hidden) Desktop.ini
file,
and to replace the (original) Registry entry
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList]
"ProfilesDirectory"=expand:"%SystemDrive%\\Users"
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"AlwaysShowMenus"=dword:00000000
"DontPrettyPath"=dword:00000000
"HideFileExt"=dword:00000000
"ListViewShadow"=dword:00000000
"NavPaneShowAllFolders"=dword:00000001
"NavPaneExpandToCurrentFolder"=dword:00000001
"SeparateProcess"=dword:00000001
"ShowCompColor"=dword:00000000
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):