View Full Version : Windows XP updates. Necessary?

Sean Nixon
12-21-2010, 02:41 PM
I have a quick question for the more PC savvy out there...

If I plan to use a PC as a client in my sim network to run a particular piece of software, let's say Squawkbox, and I reformat using an XP SP3 disk and valid CoA, and this PC will not be given internet access, do I need to visit Windows update and download a whoile load of patches and updates? Or am I ok to stick with the vanilla SP3 as it installs off the disk?

The only reason I ask is that a newly reformatted PC runs great until I install all the latest updates, then the startup and shut down process really takes a while longer to complete. It's really annoying!



12-21-2010, 03:50 PM

I believe most of the updates are "security" updates. If your pc comes nowhere near the internet, why bother? Unless you need e.g. something that asks for the latest updates.


PS Now let nobody start thinking I'm a savvy, I'm always happy that my pc will start.

Sean Nixon
12-21-2010, 03:54 PM
LOL! I'm not too savvy neither. Did you spot my deliberate mistake?

Obviously, the PC running squawbox will need internet access!

Thanks JW, my thinking was along the same lines as yours.


Neil Hewitt
12-22-2010, 08:45 AM
I'm an IT professional by job, so you'd expect me to say this, but an unpatched PC is an accident waiting to happen. Even if it's not internet connected, if it's networked to a machine that is, it's vulnerable. Even if it's not networked at all, it's vulnerable to stuff loaded from CD, DVD, USB key, whatever. If you ever plug it into the internet later on, even for a few minutes, it's fairly likely to get infected. Someone did a test, putting a vanilla XP (circa 2002) box online - it took less than 3 minutes for it to get rooted and recruited into a botnet.

Patch all your machines reguarly - it's worth it. If you have enough machines on a network, consider downloading and running the Windows Update Server (WSUS) on your network. That will download all the patches and updates just the once, store them locally, and distribute them to all your PCs per their local policy.

If you find that a post-patch PC takes much longer to restart - beyond the first time, when you'd expect it - that suggests to me that something has gone awry. Nothing Microsoft will ship over Windows Update should do that to your machine.


Sean Nixon
12-22-2010, 03:09 PM
Thanks for that explanation Neil. It's pretty much what I thought I should be doing. It's just that there are so many updates since SP3 and I'm convinced installing them all in one go bogs the PC down to the extent they are never the same (performance wise) than they were prior to the update.

I've got a few PC's to reformat before adding them to my network, I'll maybe make a few notes along the way. I do agree that the OS should be as up to date as possible though.

I'll also look into the WSUS service.


Sean Nixon
12-24-2010, 09:28 AM
Having spent a good couple of hours looking at the Microsoft WSUS service, my head is totally bamboozled! Do they make it complicated so that only Microsoft trained IT professionals can use it???

First question... can I use it on an XP 'server'?

Neil Hewitt
12-24-2010, 11:36 AM
Hi Sean.

It is a tool meant for systems administrators, so yes, it's fairly complex. The beauty of it is that it gives you control over what updates you do and don't distribute, and you only have to download them once.

To answer your first question, it seems the answer is no. WSUS has to run on a server version of the Windows OS. I realise that might be a deal-breaker for you. Obviously I have access to volume license and MSDN media such that I can run pretty much whatever I need to within our license limits.

If your network is a set of peered XP clients, and no central server, then it's probably not suitable for WSUS.


Sean Nixon
12-24-2010, 11:51 AM
Thanks for the reply Neil, but...

If your network is a set of peered XP clients, and no central server, then it's probably not suitable for WSUS.

Yeah, that's exactly how my network is setup. Pity, it would've been nice to have to only download the updates once and install them over the network.

The problem now lies in the fact that the sim PC's are not normally given internet access, so auto updates won't work, thereby leaving them potentially at risk from the sources you described in your earlier post.

How easy would this be...

My 'Main Client' (sort of like an Instructor Station) has wireless access to the internet. It also connects to my sim clients via a bog standard switch. Can the clients access the internet via ICS? I'm going to try it out now, but any advice would be appreciated.

Thanks and Merry Christmas.


Neil Hewitt
12-24-2010, 12:40 PM
Well, here's an idea: download an HTTP proxy server (Proxify is probably the best but it ain't really user-friendly, I've also used CC Proxy in production which isn't free but is reasonably cheap). Stick it on your internet-connected PC. Set it up to accept connections from machines on your network over port 80 (HTTP) and port 443 (HTTPS), and forward them to the internet, but only to the following destinations:


(This is, I believe, a canonical list of all Microsoft update sites.)

Then set up Windows Update on the other PCs to pick up updates as normal, and (this is the clever bit), set up the internet proxy in IE (from which Windows Update will get its settings) to point to the proxy server you've installed on your main machine. The other PCs cannot see (or be seen from) the internet, but they can request updates from Microsoft as long as your main PC is on and the proxy running. If you turn on caching at the proxy level then, for the smaller patches at least, it's likely that it'll only have to be dowloaded once and the other PCs will pick it up from the proxy's cache.

It's not the simplest solution, but it should work rather better than an ICS-based one.


Sean Nixon
12-24-2010, 12:58 PM
Well I crashed and burned trying to set up ICS! ICS wants to set the LAN adaptors' IP to, but fails, therefore ICS setup halts!

My wireless router has the IP address by default, so I changed this (to Still no joy.

Then I noticed ICS was trying to change the IP address of the LAN adaptor, but the internet is not coming in through the LAN, it's a wireless connection. I manually configured the LAN adaptor to, but ICS overrides this, setting it back to automatically obtain IP address, but then fails to set it and I get the same error message as above. Seems ICS wants to use only the LAN adaptor.

There must be a way of sharing a wireless connection to wired PC's on the network???

I'll look into your suggestion Neil, but when I haven't began sinking Stella's!


Sean Nixon
12-24-2010, 02:17 PM
Just a quick note, I eventually got ICS working. :D