Carefully choosing only the MS patches I require

That looks about right. The installation grows by GB's after SP3 and subsequent patches. Even removing the backups directories lowers the overall bloat by only about 500 MB, at least in my case. And it's not even the additional disk space the patches take up that bothers me, it's the significant performance hit the patches, SP's included, induce on the system.

 

Oh how I would like to see this supposed performance hit scientifically measured. Please, do it sometime.

 

Just one remark because I remember how happy I was with SP3 back in the time: it made my formerly XP SP2 system run approx. 10 - 15 % faster (more snappy). Measured by trained feeling only of course.

But I remember I was really overwhelmed with joy having suddenly a turbo engine built in! - So not everyone thinks that installing SP's does slow your system down. I don't and say the opposite.

Maybe leaving out patches is making it even faster (though I doubt that because my system didn't get slower over the time besides the usual clutter effect!), but it wouldn't be worth all the hassle to me anyways. But I am amazed what people do with their free time.

 

Again, if anyone has any further info about NEMET... I'm all ears... not to hijack this thread or anything (I'm sure my buddy wat doesn't mind).

I have an installer for it on my box, just sitting there. But I didn't jump into it because of aforementioned confusion over it.

 

It's all good, lucid

As for Nemet, I'd feel leery about using it, although it might work perfectly fine. I just prefer to use a known and continually developed product like .NET, even though it adds considerable data overhead. I'm just sticking with .NET 2 on XP.

 

I just reopened an old thread about NEMET in the "other malware" forum actually. Not only to keep this thread clear of cluttler, but also because it will get more attention there.

Seems to me that since EMET is really just a GUI to deploy the mitigations anyway, the concern you brought up doesn't apply as much. And it's not like EMET is very well maintained either... it's had what, 2 updates in the past few years?... with 1 of them still being a beta release (3.5), so only 1 final/stable one in all this time (3.0). And from everything I hear and have seen first-hand EMET isn't the most stable/reliable thing itself. Plenty of bugs in it and conflicts with software. Heck, maybe NEMET is actually more stable and better written/conceived? I think just due to the mere fact it doesn't require/run on .NET FW leaves a decent chance for that being the case.

 

You may be right. Having never tried it, I'm not going to criticize NEMET in the least. I just have an aversion toward using generic brand products, although I am tempted to test it in a virtual machine.

*EDIT*

BTW, I'd like to clarify I advocate and partake in installing updates that fix O/S issues and performance deficiencies - all of them, without fail. But good luck trying to convince me the ones that address vulnerabilities, especially those where, and I quote from a typical MS Security Bulletin...

...help to improve performance.

 

Both programs use the same DLL. Any crashes caused by EMET will apply to NEMET, the only difference is that you use a different interface.

When EMET causes a crash it's not as if it's due to a bug in EMET's implementation, it's because some mitigation techniques will cause crashes when programs aren't built for them.

 

Thanks Hungry, I'll take a look at it for sure

 

Yeah I just answered all of my own questions via some research. NEMET simply is not an option for me whatsoever.

WehnTrust is. I may just give it a try and reimage if I don't like it. I've heard it makes a copy of every .dll & .exe on your system, which sounds like it has the potential to be cumbersome at best... and problematic at worst. I have serious doubts that it'll become a part of my setup.

 

I've looked at it before, and that's sound logic, but I've never actually taken the plunge. I was afraid I'd break my box. Look at the screenshot when you click on that link about 1/3 of the way down the page once... Check out that System Cache!... OMG, 53K! That's absurd, lol. I'll bet there's absolutely nothing installed though. They probably gutted it right after a format. Suddenly the 208K my box boots at doesn't feel quite as pimp anymore, lol.

I do actually have less processes in idle though. They show 17, while I have 15 in idle (which is really 13 when you take out Task Manager & System Idle Process).

So anyone have any insight/experience first hand about this app? Has anyone really gone to the extreme and yanked out everything that isn't bolted down in XP? This just looks too intriguing to me not to try now. But I'd like to hear other experiences first. You guys with your VM's... here's an awesome mad scientist experiment for you. And I may just have to get my fingers dirty too. I do have clean images.

 

I didn't try this with XP, however, I did experiment with 98Lite, which was the predecessor of XPLite. It wasn't without problems, which made me not want to bother trying XPLite. Stripping out entire components can sometimes hose some other functionality that depends on these. Here's a much better explanation. Scroll down a bit to the part "Why I Don't Use Programs Like XPLite and nLite".

This guy has an unbelievably comprehensive guide to cutting the blubber out of XP without ruining functionality or creating error messages. If you want to go hardcore this is the place to look.

 

Oh yeah, I gave that a look. The funny thing is... I have my XP more bareboned than his is, if you can believe that, LOL! He should be reading MY guide (not that I have one).

 

I never did get around to trying NEMET, losing interest pretty quickly. This nLited XP Pro SP3 installation I've been running with reduced MS patches is screaming fast like a high end Porsche in top gear, even with .NET 2.0 and EMET

 

In that case, you may want to leave well enough alone! How long did it take you? The first time I read that guide (several years ago) I imagined myself spending two weeks or so mucking around and got a lazy attack

OTOH, I did find his reasoning for not screwing around with XPLite and nLite pretty interesting. With 98Lite I had something similar to what he described, although I can't remember what it was.

 

I hope you do realize that applying Windows updates has zero impact on performance. The only reason I skip some (~20%) that I know aren't necessary is to save a little space in the $hf_mig$ folder (which I have junction'ed to another drive to not waste space on C:\), although they can be deleted anyway I guess, as well as the Security Catalogs (*.cat) from each update in the system32\CatRoot folder. Same reason I like to clean reinstall every once in awhile, just to get a fresh start and clean up a few of those trivial files.

No uninstall files are created when updates are integrated with install (I don't use nLite at any point) or later when applied manually with the /nobackup switch. After XP (or did it start with 7?), no more /nobackup and more junk DOES pile up...

Here's my script to integrate updates into SP3 folder:

Code:

@echo off

"XP SP3\Base\WinXP WinTrust Update (KB2749655)" /integrate:H:\WinXP-Temp /quiet
"XP SP3\Base\WinXP Cert. Key Length Update (KB2661254-v2)" /integrate:H:\WinXP-Temp /quiet
"XP SP3\Base\WinXP Dec2012 Time Zone Update (KB2779562)" /integrate:H:\WinXP-Temp /quiet

FOR /F "delims=" %%f IN ('dir "XP SP3\*.exe" /b /o:-d') DO echo %%f && "XP SP3\%%f" /integrate:H:\WinXP-Temp /quiet

"XP SP3\Base\WinXP-ICS Fix (KB951830)" /integrate:H:\WinXP-Temp /quiet

pause
exit

They are applied in approximate reverse order, because they come out the opposite way (in order, oldest to newest) in svcpack.inf and are applied in that order, although it doesn't matter, since newest files are guaranteed to be used.

Sometimes I use the manual workaround for updates instead of installing the update. For example, one in the .cmd file I put in the [GuiRunOnce] section of WINNT.SIF:

Code:

cd %WinDir%\system32

REM Delete Indeo files (See advisory 954157; KB955759)
del ir41_32.ax ir32_32.dll ir41_qc.dll ir41_qcx.dll ir50_32.dll ir50_qc.dll ir50_qcx.dll

REM Unregister/delete ancient, old included Flash
regsvr32 /s /u Macromed\Flash\Flash.ocx
rmdir Macromed /s /q


REM For MS12-002
reg add HKCR\Package\protocol\StdFileEditing\server /ve /d "%WinDir%\system32\packager.exe" /f

ActiveX Kill Bits instead of some updates (not included in cumulative ActiveX Kill Bits updates). Applied after first reboot after nodefaultadminowner=0 takes effect (gets set back to 1 after installing everything, since it causes wacky stuff for programs running as Normal User (SRP "restricted")):

Code:

; Kill bit for MS08-050 (Messenger)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B69003B3-C55E-4b48-836C-BC5946FC3B28}]
"Compatibility Flags"=dword:00000400


; Kill bits for MS09-044 (Remote Desktop)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4EB89FF4-7F78-4A0F-8B8D-2BF02E94E4B2}]
"Compatibility Flags"=dword:00000400


; Kill bit for MS09-057 (Indexing Service)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A4463024-2B6F-11D0-BFBC-0020F8008024}]
"Compatibility Flags"=dword:00000400

This month, my integrated update count was 74 (plus the 4 from the batch file that don't have a Security Bulletin). So, 78, VERY carefully chosen after careful analysis keeping track each month over the years. And I just did an extremely thorough analysis again, quickly checking most, and scrutinizing some very closely to decide in November. This resulted in me including a couple more for reasons I had overlooked (you need to be very, very careful considering possibilities since the bulletins are generally vague and sound the same), and skipping a few that I used to include (and a couple later updates, in combination, replaced a previous one, so it wasn't even doing anything to install it, which my "update file checker script" missed ).

First, you better go back and also look at all of the previous bulletins that may have been replaced by this seemingly "minor" one. Previous ones could have been (e.g. probably WERE) critical, and once one of those is in the chain, I will always include the latest one, at least with a fresh install.

Second, "valid logon credentials and be able to log on locally to exploit this vulnerability" ALSO includes any exploit code that runs in some other legitimate process! I used to skip more of these too when I used to run everything unrestricted as admin (figuring "game over" anyway, and pretty true in that case). But assuming you're not browsing with admin privileges, I don't think you're saying that if an attacker gets "local access" (via Firefox, Flash, Java, PDF vulnerability, etc.) that it's "game over," are you? Then take a close look, and you probably want to apply most "Elevation of Privilege" updates! I now think these are some of the most important. After all, Remote Code Execution ones, if they're just at the application-level/user-mode, its impacted can be limited (no admin) and/or contained (Sandboxie). Something elevating to full privileges is really bad, though (in some cases, Sandboxie may block them from working, either by design or chance).

address this...?

Anyway, lots of those "Insecure Library Loading" vulnerabilities. Easy workaround is the CWDIllegalInDllSearch added in one of the kernel updates (ntdll.dll), I think:

Code:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"CWDIllegalInDllSearch"=dword:00000002

0xFFFFFFFF breaks some applications, but 2 should be fine.

 

Sorry, based on personal experience, I don't buy this claim of yours and others.

As for all your other claims regarding the importance of the updates, we'll see. As I stated previously, if they occur, I will happily post the particulars of any and all exploits that happen to breech this setup.

 

So you're saying that if they release an Update Rollup sometime (I've been waiting, maybe next year at "the end" to collect them all) and it's installed, it'll make thing slower? (I'll take them all, since it covers everything, doesn't hurt anything, and just ONE Security Catalog file to cover everything. ) I'm a major speed/optimization guy, and I wouldn't even consider thinking that. (Assuming that there's not some fluke update that really changes some specific behavior and stuff.)

Like someone else said, let's see some proof of this claim!

I haven't tried it of course, but when all updates I apply are integrated into the Windows install disc, it already put the updated extracted version of the files in the I386 folder. Yet, for some reason, it still runs the update files (in svcpack folder) during installation (happens at "13 minutes remaining" I think, and takes 5+ minutes to run). I've assumed this is just to "officially" install the updates (to show in Add or Remove Programs) as well as their Security Catalogs.

If you were to delete svcpack\ and svcpack.inf after integrating, I assume the install would still be updated since the new files are copied from I386. Then it would be no different than an old disc install, just plain files being copied. So would it be slow then or not...?

The updates don't DO anything after the files are installed. Everything is the same, just without vulnerable files.

 

@DR_LaRRY_PEpPeR
Are you saying you only slipstream updates into source disc and then reinstall the OS? That sounds like what you are saying.

Or, are you saying you have a method that allows one to install an update (a chosen update, whatever) in a manner similar to slipstreaming the media - meaning all that uninstall garbage is not present in the live system.

I used to slipstream service packs and some updates - back in RyanVM days when that was the geekiest thing around lol. Now I don't even bother. I have sp1 for win7, and just do my own tweaks and extensive customizing. No updates, no reinstalling. Maybe on another sp I will reinstall.

Anyway, sounds like you've been down many of the same paths I have been down, and just wanted to clarify what you meant by your information-crammed post

And for the record, I am one of those who think updates can have a lot of impact on performance. I wouldn't say it 100% will, but I know what I have seen and experienced, which at times is very noticeable. Doesn't matter really, its all relative to the individual..

Sul.

 

Well Doc, I don't know what you're trying to say, but how do explain data growth on the installed h/drive in the magnitude of hundreds of megabytes - actually gigabytes - after SP3 and all subsequent patches are installed on a raw XP installation? As for no impact on performance as you claim, where is your proof? Mine is not available ever because I never recorded it in any way, only what I have easily noticed in experiencing performance from a fresh installation of XP compared to the same one with SP3 and all other patches. The difference was most emphatically telling. You and others don't have to take my word for it. I don't even care. BTW, it might be far more noticeable on older hardware than on newer hardware. One's mileage may vary

BTW Doc, Sully's claims are as good as gold

 

That I only put updates on reinstalls? Haha, no, although I am always tempted each month when previous updates get replaced to reinstall everything again. (Not really, but close.)

Yeah, I apply all relevant updates manually as I go along each month... The /nobackup switch for the updates makes it not put the uninstall stuff (assuming there's not a problem update sometime!). So, if it replaces a previous update, the only thing "extra" is that update's $hf_mig$ folder, which I could go back and delete (although I have yet to), and its .cat file, I guess...

I first discovered /nobackup with Windows 2000, but that's not available anymore with Win 7, and its new update system with those .mup files or whatever. So extra stuff looks like it piles up more with each update.

I heard there won't be a SP2 for 7. I saw something about "integrating" updates with it, but it sounds like it was just running the updates like usual after installation, not truly "slipstreaming" like I've been used to. That was the impression I got... I saw it was really complicated to even integrate SP1! Then I realized I could just download the SP1 ISO from Microsoft's Digital River online store thing, so I did that. (64-bit Home Premium for Windows Media Center TV/PC system setup not quite a month ago.)

I remember your posts about PGS, among other things, from Google searches before I registered here. I never really used PGS, since I was manually entering SRP stuff in the registry by that time (have a simple .js file to do it now). I haven't tried putting any of the GP stuff on my Home setup -- it was trivial to convert it to "Pro" (SETUPREG.HIV hack before install), but that doesn't really do anything other than changing the text in a few places. But it gives me the option to disable Simple File Sharing, although I haven't. I applied another trivial 1-byte modification to rshx32.dll so it thinks it's always in Safe Mode for the Security tab (looks at the altered ...CurrentControlSet\Control\SafeBoot\OptionValue=1). But, I digress.

 

You started with a raw, no-SP XP install? Wow, I'm not used to that! Again, not that it should make a difference for performance, just extra space taken up. Of course, that's from the uninstall stuff! Delete it if you don't want it. (Should be most of the $NtUninstallxx$ folders in %WinDir%.)

Other than the space being used, there shouldn't be any difference like I said. Even if I'd be tempted to psychologically tell myself that (and I definitely would be), I just know it isn't true for myself. Now, the system does seem to feel just a bit "better" and clean after a reinstall, which is probably just placebo too, but if anything, it would have been from other stuff accumulating over time (Win rot), besides updates, although that's less true now with Sandboxie.


I've just done totally clean installs. With Win2k, that was only the latest SP (plus Update Rollup at the end), although I guess updates could have been integrated as well, I just didn't realize. My laptop install this month is about the same size (within 1MB say) as one 2 years ago, initially. The only extra space would come from extra .cat files, if a few more total updates since then, and if any of the system files are slightly bigger (sometimes they get barely smaller). I pay attention to nearly every little detail.

In fact, the size of the install is how I gauge that I've deleted all the little bits I want to (like temp files, log files, dllcache, Prefetch, MSN Explorer, temporary pagefile moving, $hf_mig$ moving/junction'ing/SetACL'ing) before imaging the base install after installing Ethernet driver and activating XP...

Why would there be any difference? If I even had a hint of that, I'd benchmark. I've done it to check other small stuff before. What benchmarks do you want? I can try to do some sometime before and after whatever chain of updating you choose. (Unless you can start clean again, and do before/after.) In that case, if you can start over, make a nice, pristine SP3+updates install disc and admire the beauty. Assuming you can burn a DVD, it's pretty simple, or I could give you an ISO of mine somehow. Wait, isn't that what you just did with nLite, or was that just for SP3 itself?

I won't touch that nLite after I saw it put something extra of itself into the install (some harmless lines in files like sysoc.inf I think?). No way, I don't want anything touched like that, I don't care what it is, if it can be done manually. It took me AWHILE to figure out how to load the Intel SATA drivers myself (during text mode portion of setup), but it was simple in the end -- in TXTSETUP.SIF, not WINNT.SIF

 

Given the laws of physics, how can you possibly claim no performance difference when the base installation grows by ~ 100% in size after the SP and updates. I'm telling you that from my experience, no lie, no placebo-induced or exaggeration, there is a very noticeable performance difference after the SP and all updates are installed. BTW, removing the uninstall stuff does not reduce the space that much, at least for me.

nLite works for the most part in removing what's selected, but it's certainly not perfect. It actually broke the option to remove the additional programs like Messenger, etc, and it did not remove a few items I selected either. However, it has never, for me, broken anything critical. I've always ended up with a functioning and smaller than usual default installation.

 

Wait, why should installation size have any serious impact on performance? As long as you have plenty of free disk space that should be a nonissue, no?

 

I would imagine on a very very old hard drive it could be a problem. On any modern system there should be literally no performance difference, except in extreme circumstances like a very fragmented drive.