Defensive Computing

The September 11th edition of the Windows Secrets newsletter included a couple stories about Windows XP SP3, trying to answer the questions of when and whether to install it. Back in April, when Service Pack 3 was released, I advised against rushing into it. But, it's been almost five months, is it safe to go into the SP3 water?

According to Scott Dunn, who wrote the lead article, you don't need to install Service Pack 3 for another year and a half. He says "... overall support for SP2 expires in early 2010, [so] you'll need to have SP3 installed by that date if you want general support for XP."

I view the SP3 issue as a risk vs. reward decision and the reward still seems small compared to the risk. But there can be a Defensive Computing advantage to not installing SP3 that has nothing to do with avoiding potential problems.

The risk of SP3 causing a problem, while persistent, decreases daily as more software, people and hardware get acquainted with it. You can get a sense of the risk involved by reviewing the Microsoft Knowledge Base article Steps to take before you install Windows XP Service Pack 3. As for reward, in one of the articles Scott Dunn tries to make a case for the upside of SP3. I wasn't impressed.

A New Reason To Wait

But, this assumes you're dealing with a normally functioning copy of Windows XP. Installing SP3 can be a great ace in the hole to have when dealing with a problematic or infected copy of Windows XP. I learned this hard way working on a couple computers for clients. In each case the near total refresh of Windows that SP3 provides proved invaluable.

One computer had been sent to the hardware manufacturer for repair and when it was returned, it was forgotten about, since it was old and just serving as a backup. But, when it became important again, it needed 99 bug fixes. Downloading the patches went fine, but only seconds after the installation process started, it ended with a useless error message and no error code.

Suspecting that the install logic for 99 concurrent patches might not have been well-tested, I tried installing just one patch and it worked fine. Then I removed a few that I suspected might be problematic but the remaining 90 failed to install. A random clump of 5 patches installed cleanly, but I wasn't going to sit around installing a couple patches at a time.

Service Pack 3 to the rescue. It downloaded and installed just fine.

Another computer was blue-screening at startup, just after the Windows desktop was displayed. By the time I got it, things had improved, only a background process was crashing, Windows itself remained up. But, as soon as I clicked OK to the warning about a serious failure, it failed again. The Microsoft online crash debugger reported that the offending driver was for the WiFi network adapter. But, updating the driver didn't fix the problem. In fact, the new driver had a new name but the crashes kept occurring in the old driver according to Microsoft.

There were dozens of available Minidumps, but I didn't feel like tracking down and installing the software to read and format the dumps. Much of the information in the dump is over my head anyway.

Here again, Service Pack 3 came to my rescue. Since it was installed, no more crashes.

SP3 is like doing a repair install of Windows, only better. It's a nice fallback option to have when things go wrong.

What To Do?

There is no one right answer for when to install Service Pack 3. Me, I'm hanging back for now. But one thing every techie can agree on, is the need for a disk image backup before installing any service pack.

If you haven't installed SP3 yet, then be aware that Microsoft offers free technical support for installing it until April 14, 2009. Depending on where you live, you may be able to speak to someone from Microsoft on the phone, use an online chat or communicate with them by email.

And take a look at the Windows Secrets newsletter. I find it worthwhile.

Updated September 12, 2008: Re-wrote introductory paragraphs to make things clearer.

See a summary of all my Defensive Computing postings.

The New York Times published an article on Friday about Windows Vista that included this: "The main problem with Vista, Microsoft said, was that given the delays, uncertainty and significant changes in the software, the rest of the industry was not ready when Vista finally arrived."

This is, of course, self-serving; companies rarely admit their mistakes. How convenient that the fault lies with the "rest of the industry."

In fact, Microsoft released Vista prematurely. One can only assume that there was pent-up pressure stemming from the delay in getting it out the door. But few Windows users care about the delay. What made an impression, to the non-techies of the world, were the initial problems people had using it.

In the quote above Microsoft was referring to the lack of hardware drivers. They have to shoulder some of the blame for this, both in terms of not working sufficiently with hardware vendors and for releasing Vista knowing full well that driver problems awaited early adopters. Then too, they signed off on calling under-powered computers "Vista capable".

On top of this, Vista wasn't fully baked when it was released. The huge number of articles that suggested waiting for the first service pack is a testament to that.

In fairness, the same can be said of Apple. Leopard (Mac OS X 10.5) too, was far from fully baked when it was released. In this regard at least, Linux shines. There is no marketing department or sales department at Linux headquarters pushing the operating system out the door before the programmers say it's ready. In fact, there are no Linux headquarters at all.

Hassle factor

The Times article goes on to say: "By now, Microsoft insists that most of the frustrating technical problems with Vista...have been resolved--and many industry executives and analysts agree." Assuming, for argument's sake, that's true, the out-of-the-gate problems aren't the end of the story.

Vista has to be better than Windows XP. And the judgment of whether it's better or not varies with the audience. While techies may write blogs and articles, nerds are the minority--most Windows users are normal people with lives focused elsewhere. And for many normal people, Vista just ain't worth it.

For example, I can drive a car with an automatic transmission, but not a stick shift. Assuming, for argument's sake, that stick shifts offered an advantage (perhaps better mileage), I have to weigh the advantage against the cost and hassle of making the switch.

For many computer users, Windows XP works just fine. It's familiar, it's what they know, it's not a problem waiting to be solved. Some can barely use Windows XP and may not have the ability to adapt to anything new. Technical change is fun and easy for techies, but the same change is hard and/or distracting for others. I deal with many non-techies with jobs in other fields who could care less about operating systems. Their computer is a tool to get their work done and any change is a nuisance--perhaps one they don't have time for.

The keyboard on your computer uses a layout that was chosen for reasons that no longer apply. Yet, who knows how many better layouts have failed to take off because they couldn't overcome the hassle involved in changing. Once someone learns to type on an existing keyboard, the benefit has to be huge to switch to a new layout.

Against this background, Vista has to be better than Windows XP. Much better. Noticeably better.

I don't see it.

I don't see Vista offering sufficient benefit in the way of must-have features to make it worth the changeover hassle. On top of this, despite whatever strides Microsoft may cite, Windows XP will be more compatible with existing hardware and software for the immediate future. Thus, XP is still the right decision for many Windows users.

Businesses choose which version of Windows to use and most chose XP (see Intel and General Motors). Consumers, by and large, don't choose, they are force-fed Vista. That's a shame. In part, it has led to the resurgent interest in Macs (along with the commercials, of course) and may well lead to the rise of Linux on Netbook computers. We'll see.

Update September 7, 2008: I'm not a Mac person, so my analogy about Apple also releasing an OS before it was ready may have been off. A commenter below said: "You would be more correct in using OS X 10.0 as a parallel example, which was released way too quickly, and was full of bugs. OS X 10.1 (which had all the fixes) came out very quickly after that, and was distributed to all OS X users for free as a partial apology."

See a summary of all my Defensive Computing postings.

NASA confirmed this week that a computer on the International Space Station is infected with a virus. (See "Houston, we have a virus" at The Register.)

The malicious software is called W32.TGammima.AG, and technically it's a worm. The interesting point, other than how NASA could let this happen, is the way the worm spreads--on USB flash drives.

Randy Abrams, director of technical education at ESET, alerted me about this. Touching on both interesting points, he said:

To start with, no computer going into space should have autorun enabled. Simply disabling autorun would have almost certainly rendered the worm inert. Given that age of the worm, and its low risk ranking, it is probable that current (antivirus) software was not being used either.

(Credit: NASA)

Malicious software spread by USB flash drives and other removable media takes advantage of a questionable design decision by Microsoft. Windows is very happy to run a program automatically when a USB flash drive is inserted into a PC. How convenient, both for end users and for bad guys.

Abrams blogged about this back in December, and I wrote about it in March. In that posting, I described how to disable autorun for Windows XP and Windows 2000 and I just revised it to include Vista.

In his December blog, Abrams writes, "Fundamentally, there are two types of readers here. The first type will disable autorun and be more secure. The second type will eventually be victims."

Don't be a victim, disable autorun (also known as autoplay) for all devices. It may be a bit inconvenient going forward, but to me, the added safety is well worthwhile.

See a summary of all my Defensive Computing postings.

Bad news: Service Pack 3 for Windows XP, or one of the subsequent patches, breaks Windows Update. Not all the time, but often enough that I got burned twice.

Good news: Microsoft offers free technical support for Windows Update and that support provided a solution to my problem.

While consumers are conditioned to call their hardware manufacturer for technical support, Microsoft offers free support for Service Pack 3 for Windows XP, IE7 and Windows Update. Support for SP3 and IE7 is offered on the phone (866-234-6020), although, I had a hard time qualifying. Support for Windows Update is offered by email.

(Credit: Microsoft)

To request assistance with Windows Update, start at the Windows Update website (Tools -> Windows Update in IE6 and IE7) and click on the "Get help and support" link in the gray stripe on the left. Then click on "Send a problem report".

The best way to do this is with Internet Explorer on the computer with the problem. This allows Microsoft to download an ActiveX control that gathers assorted debugging information and sends it back to them. In my case, this debugging information proved critical.

A Microsoft technician responded to my plea for help well within their 24 hour goal.

My problem was particularly annoying because there was no error code, thus nothing to search the net for. The error message simply referred to "a problem on your computer". In addition, a review of the update history (click on "Review your update history" in the left side gray stripe) showed no failures at all. I had even checked the system event logs and come up empty.

It turns out that Windows Update has 2.5 activity log files.

In addition to the "update history", there are two plain text log files in the C:\WINDOWS folder. The "half" is a file called "Windows Update.log" which doesn't seem to be used any longer. I checked four XP machines and in each case the file had almost no data and hadn't been updated in a long time.
Update: A reader named Joseph pointed out that this is from an older version of Windows Update.(July 27, 2008)

But the other log file, "WindowsUpdate.log" is a gold mine of information (this file has no spaces in the name). It was included in the debugging information sent to Microsoft and revealed that my problem was an error 0x80004002.

The Fix

Windows Update was resuscitated with the oldest trick in the book, re-installing the software.

Microsoft's first suggestion was to download version 3 of the Windows Update "Agent" (file WindowsUpdateAgent30-x86.exe) to the root of the C disk, then run it with Start -> Run and the following command:

C:\WindowsUpdateAgent30-x86.exe  /wuforce  

The installation was quick and painless. On both computers, this fixed the problem.

The link to this stand-alone version of the Windows Update agent may change over time. A technician at Microsoft suggested getting the software from here. This fix is also offered here, for a similar Windows Update problem.

How widespread is this problem?

There's no way for me to know how widespread this problem is. If you've had problems with Windows Update after installing Windows XP SP3 leave a comment below.

I don't use Automatic Updates, but if you do, and find the yellow shield never goes away, you may be experiencing this problem. To see, try running Windows Update manually from the website to insure it can install patches.

A brief search turned up forum postings at Microsoft.com from others with this problem. This thread, XP SP3 Preventing any other Windows Update Installs, started almost 3 months ago.

The thread includes an email from Microsoft technical support with three possible fixes. One of them, involving re-registering DLLs, was my fallback if the first suggestion didn't work. Scott Dunn from Windows Secrets covered re-registering Windows Update DLLs last September in Stealth Windows update prevents XP repair.

Finally, let me repeat a warning about upgrading to Internet Explorer 7. When you first install IE7, you get a known buggy version. After rebooting, run Windows Update immediately to get the patch shown below

Update July 27, 2008: After installing XP SP3 and all the subsequent patches on three more computers, my best guess is that the problem has to do with the type of license for Windows. On all four machines that were purchased from the same hardware vendor (very different models), Windows Update broke. However, a copy of Windows XP purchased at retail in a shrink-wrapped box had no problems with Windows Update.

See a summary of all my Defensive Computing postings.

On two Windows XP machines of mine, the installation of post-SP3 patches has broken Windows Update.

I first wrote about this yesterday, when it happened on one machine. Today, on a computer with very different hardware, the problem repeated itself.

In both cases the computers had no application software installed. Each had only Windows XP SP2 and a handful of vendor installed utilities. Neither machine had any anti-malware software of any kind, not even a firewall (other than XP's firewall). Both were running Internet Explorer 6.

Each time I started by installing SP3 and rebooting. Next, I ran Windows Update manually and opted to install all the post-SP3 patches, with the exception of Internet Explorer 7. I prefer to install IE7 by itself. The patches install fine, and I reboot again.

At this point Windows Update no longer works.

As I suggested three months ago, it's best to hold off on Service Pack 3.

Update July 27, 2008: This problem is not related to IE6, it was re-produced on two machines running IE7. At this point, I have tried to reproduce it on five computers. My best guess now is that the problem has to do with the type of license for Windows. On four machines that were purchased from the same hardware vendor (very different models), Windows Update broke. However, a copy of Windows XP purchased at retail in a shrink-wrapped box had no problems with Windows Update.

One Windows XP test machine started out with no service packs. I installed SP2, rebooted, installed IE7, rebooted, installed SP3, rebooted and then installed all the post-SP3 patches except for one. One patch had to be omitted because without something to install there is no way to know that Windows Update is broken. Specifically, I chose not to install KB923789, an update to the Adobe Flash player. The post-SP3 patches that I did install were KB951748, KB951978, KB890830, KB951376, KB950762, KB950760 and KB942763. One of them broke Windows Update.

For the fix to Windows Update see Fixing Windows Update on XP SP3
See a summary of all my Defensive Computing postings.

The day Windows XP SP3 was released I advised waiting a long time before installing it. In the three months since, I haven't installed it on a computer that mattered to me. Today, I installed it on a computer that didn't matter much, and it caused a problem. So, I tried to take advantage of the free tech support Microsoft offers for SP3 - and got a lesson in fine print.

The computer shipped with Windows XP SP2 and some vendor utilities installed. It was a good guinea pig for SP3 because there were no user-installed applications and no user-created data files on the machine.

I downloaded and installed SP3 without incident. Then I rebooted and ran Windows Update again to get the latest patches. There were a handful of recent patches, and I installed all of them except for Internet Explorer 7. This too went fine and I rebooted again, little knowing the grief that awaited.

Back to Windows Update to install IE7. As you can see below it found another patch too.

Now however, Windows Update can't install either the patch for the .NET framework or IE7. It politely says that "Some updates were not installed".

Under the error (see below), it says to try again. So I did, but that didn't help. I tried one at a time, but that didn't help either. I rebooted, to no avail.

So I called Microsoft (866-234-6020) hoping to get some of the free tech support for XP SP3 mentioned here. But I didn't qualify.

The free support is for "installation and compatibility". In my case SP3 installed fine so I don't qualify there. And compatibility doesn't seem to include SP3 being compatible with Windows Update.

No Free IE7 Tech Support Either

While on the phone with Microsoft, I have an idea. Because of the problem, I couldn't install Internet Explorer 7 and Microsoft offers free tech support for IE7 too. This page clearly refers to "Free Internet Explorer 7 installation and set-up phone support".

Switching from asking for XP SP3 support to asking for IE7 support stumped the person I was speaking to, and I had to wait on hold while he got a ruling from the judge. Again, I didn't qualify.

Despite the offer of free installation support for IE7 and despite the fact that I couldn't install IE7, the Microsoft person explained that since my problem was really with Windows Update, I didn't quality for the free help.

The patch for the .NET framework did me in. Since it also wouldn't install, this pointed the finger at Windows Update rather than at IE7. Adding insult to injury, Windows Update created the need for this patch by installing the known buggy Service Pack for the .NET framework in the first place, a situation I wrote about back in April (see Don't get burned by Windows Update).

Lawyers reading this, must find it a hoot. Internet Explorer 7 is installed with Windows Update and there is free telephone support for installing the product. But if Windows Update is the problem, no free support.

After hanging up, I tried Microsoft Update instead of Windows Update, but it failed in the same way. When turning off the machine, automatic updates tried to install a patch, but that failed. At the next boot, automatic updates wanted to install both IE7 and the patch for the .NET framework. I let it try, but it failed in the same way. At the next shutdown, Windows again tried to install a patch. It's confused.

Microsoft offers free tech support for Windows Update too. But that's not on the phone, only by email. I went down that route, filling out the necessary forms and accumulating the required data.

I don't expect it to lead anywhere. For one thing, as you can see from the screen shots above, there is no error code, just a generic warning about "a problem". I checked the event logs and there were no error messages there either. Debugging errors without an error code is really hard, especially by email.

I think it's time for some more Linux postings.

Update: July 22, 2008: This was not a fluke, it happened again on another machine.

See a summary of all my Defensive Computing postings.

For the most part, on this blog, I try to convince readers to do something defensive on their computers - like a parent nagging a child to eat their vegetables. Only once have I put my foot down, so to speak, saying unequivocally last year that all Windows XP users should employ DropMyRights. Now, another emphatic endorsement - all Windows users should have a Linux Live CD, and, know how to use it.

If you're not familiar with the term "Live" applied to a CD, that's because it's not something that exists in the Windows world. Linux can do something Windows can't, run (not just install) from a CD. You can run Linux off a Live CD even on a computer that doesn't have an internal hard disk.

There isn't a single Linux Live CD any more than there is a single Linux. Live CDs were initially a great way to kick the tires on various Linux distributions. That still holds, but I suggest them for other reasons.

Have you ever panicked when Windows won't boot and you really need the files on the computer? You can boot from a Linux Live CD and easily copy files to an external hard disk, a USB flash drive or another computer on a Local Area Network. With a little work you should also be able to burn a CD or DVD. In the old days Linux struggled with the NTFS file system, but those days are long gone. Depending on the Linux distribution you chose, the hard disk may default to "read-only" mode, but this isn't a problem if all you want to do is copy files off the machine.

Speaking of the old days, Linux distributions used to have install CDs and Live CDs. Now, many CDs do both. Ubuntu, for example, introduced the ability to install onto the hard disk from the Live CD in version 6.06.

When Windows won't startup, the first debugging issue is always whether it's a hardware or software problem. Here too, a Live CD can help. If Linux boots and runs fine, and can see and view all the files on the hard disk, then you most likely have a software problem. If a Linux Live CD won't boot, there's a chance that it stumbled on some hardware it can't deal with. Therefore, it's best to boot with your chosen Live CD as you as you get it. If a previously tested Live CD no longer boots, you've probably got a hardware problem. No rocket science here.

If Windows is corrupted or infected with malware, a Linux Live CD can give it a new lease on life. Although running from a CD is much slower than running from an internal hard disk, the Live CD can restore Internet access. This is all but guaranteed for an Ethernet-based broadband connection and may even work for a WiFi connection.

The previously mentioned read-only mode for the hard disk can prove useful too. To some children, the web browser is the computer. You can set them loose on Firefox running off a Live CD and be 100% sure they won't screw up the installed copy of Windows in any way, shape or form.

A Live CD can also be used to fix a broken copy of Windows. Yes, Windows has a Recovery Console, but a Live CD has its pluses. For one, the Recovery Console is only an option if you have a Windows CD. Also, at least with XP, you have to provide an Administrator password to use the Recovery Console, not so with a Live CD. And, if the problem with Windows has to do with the part of the registry that stores passwords, you'll never be able to get into the Recovery Console. Plus, it's command line based whereas Live CDs offer a GUI. Finally, a Live CD offers many more options for copying files off the computer than does the Recovery Console.

Windows XP users may also appreciate that Linux Live CDs can be used to re-partition the hard disk, saving the cost of commercial products such as Partition Magic. I have to stress however, that any partitioning operation is dangerous, no matter what software is employed, and you should always backup everything you can think to backup before changing partitions.

As for cost, Linux Live CDs are free. You can download the Live CD for any number of Linux distributions as a single ISO file. Just burn it to a CD and you're done. Ubuntu goes ever further. If you don't have a broadband connection or can't burn your own CDs, Canonical will send you a free CD in the mail. For other ways to get it see here and here (look for the 8.04 LTS Desktop edition).

As with DropMyRights there is no down side to having a Linux Live CD at the ready.

Extras

The Live Ubuntu CD offers a very handy extra, a ram diagnostic program. Below you see the options presented when booting from the CD. The first option "Try Ubuntu without any change to your computer" runs Ubuntu from the CD. The fourth option "Test memory" invokes the Memtest86+ ram diagnostic.

When Windows is acting up, a ram diagnostic is always a good thing to try. Memtest86+ will run forever if you let it. I'd run it for about 8 hours. Look at the "Pass" and the "Errors" column. Eight hours should be enough time, on most computers, for quite a few passes through the ram. Needless to say, we want zero errors. They'll be hard to miss, Memtest86+ displays details about any errors in bright red.

Bought a new computer? A few hours worth of ram testing is highly recommended.

In researching this, I also tried the Linux Mint Live CD which seems like it provides access to Memtest86+. It didn't. In my virtual machine, the Live CD ISO booted straight to the Linux desktop. Likewise, the "hybrid" Live CD of Mandriva Linux 2008 Spring One also didn't offer a boot time menu, but instead booted to the desktop after asking some questions about my preferred language and country.

OpenSUSE version 11 has a boot menu that, like Ubuntu, offers a "Memory Test" (see below). It too invokes Memtest86+, in fact, it runs version 2.01 which is newer than the version included with Ubuntu 8.04.

Ultimate Boot CD for Windows

The Linux user interface isn't all that different from Windows. Still, if you're allergic to Linux, or married to Microsoft, then check out the Ultimate Boot CD for Windows. It's the closest thing I've found to a Linux Live CD, in fact the price is the same: free.

The downside however, is that it requires a Windows XP or Server 2003 CD and support for Vista is far from complete. In a nutshell, its an XP thing. Also, there are a number of steps to creating the CD, it's more involved than simply burning an ISO file.

But, if you spend time with UBCD for Windows you can run assorted anti-malware programs from the CD you create to (hopefully) disinfect a copy of Windows. Even without anti-malware, it comes with a huge list of useful reporting and diagnostic programs. I was introduced to my favorite disk image backup program, Drive Image XML from Runtime Software by UBCD for Windows. If nothing else, it too, can be used to copy files off a computer when Windows won't boot. Highly recommended.

See a summary of all my Defensive Computing postings.

Six hours ago Ina Fried wrote that Windows XP is a hot item at Amazon.com. The full version of XP Home was number 15 on the software hit parade and the full version of XP Professional was number 21. Amazon updates the list hourly. As I write this, XP Professional is up to number 14, though XP Home slipped down to 16.

There are many ways to slice and dice Windows XP, but I'm going to focus on three "families" - full (expensive), upgrade and OEM (cheap).

The two best selling versions at Amazon are from the "full" family. Full versions of XP can be installed on a virgin computer, or more likely, a virgin virtual machine. My guess is that Mac users are gobbling up the full editions of XP to run in virtual machines alongside OS X. I say this because Mac OS X Leopard is number 7 on the list, VMware Fusion is number 5 and Parallels Desktop is number 17. Fusion and Parallels both provide virtual machines for OS X.

I also think this because the more expensive full versions of XP are outselling the cheaper upgrade versions.

The upgrade version of XP is what most people buying a shrink-wrapped copy of the operating system purchased over the last seven years. Before an upgrade edition of XP installs, it has to find either an older copy of Windows already on the computer, or you have to provide it with a CD of an earlier copy of Windows. The description of the upgrade edition of XP at Amazon.com is wrong. It says "Upgrade only; previous version of XP required." You need a previous version of Windows, not a previous version of XP. For example, upgrade versions of XP will install fine when presented with a copy of Windows 2000.

Both the upgrade and the full versions of XP share a common trait, they are retail editions. As such, tech support is provided by Microsoft and you can call them on the phone for help. I forget the exact rules but the first couple or so calls are free. At least until April 2009 when Microsoft will no longer offer free tech support for retail copies of XP.

Finally, there are OEM copies of Windows XP, sold by retailers such as NewEgg (which also sells the full and upgrade editions). These are the cheapest way to go, but they include no tech support at all. The intended audience for OEM copies are small companies that build computers. When you buy a computer with Windows XP pre-installed from such a company (often called a "system builder") they provide tech support for Windows, not Microsoft.

Another difference is that the retail copies of Windows XP can be installed on one computer at a time. If the computer dies, you can move that copy to a different machine. Not so with the OEM copies. They are married to the computer they are first installed on. If it dies, so too does your license to run that copy of Windows.

For those of us that prefer XP over Vista, an important difference between the OEM and retail editions is that Microsoft still offers the OEM editions. The retail versions are being from stock by retailers. When the stock runs out that's it.

Who can buy OEM copies of Windows XP? According to this June 24th article at PC Magazine, anyone willing to live by the OEM rules.

Of course, buying a shrink-wrapped copy of XP is only one many ways to still get your hands on a copy.

Windows XP will be supported by Microsoft until 2014, so an investment in a shrink-wrapped copy won't sour.

See a summary of all my Defensive Computing postings.

My last couple postings were about a bug fix for Windows, that I think is best avoided. Dealing with this particular fix, raised the issue, for me, of how to best deal with installing all patches, from a Defensive Computing standpoint.

I spent 10 years in the mainframe world administering to DB2 databases. The conundrum with installing patches is the same on mainframes as with PCs. Should you install every bug fix as soon as it's released or should you hold back a bit? And, if you do hold back, for how long?

The problem, in both environments, with installing bug fixes ASAP is that some will inevitably cause more problems than they fix. And when they do cause a problem, it may be a biggie, because a work-around could be days away. The problem with holding back, again in both environments, is how long to wait until you are reasonably sure that a patch won't break something accidentally. Do you install bug fixes a week after they were released? A month? Two months?

Mainframers have some advantage over Windows users when it comes to installing patches.*

For one, they can opt to not install patches until they "ripen" (my term). Assuming, for example, that patches are released monthly, a mainframe administrator can, if they want, install March patches in May and April patches in June. Windows/Microsoft update has no such date-oriented feature.

Another advantage is that mainframe patches are usually overseen by someone expert in the software being maintained. That is, a DB2 expert reviews the DB2 patches and can decide to omit some, if for example, they apply to features not being used. Likewise, patches for the operating system (z/OS) are typically reviewed by an expert in the OS before being applied. Needless to say, most PC users can not evaluate for themselves whether a particular patch is really needed or not.

Patching for non-techies

So, what should non-technical PC users do?

There is no one right answer. If non-techies install patches as soon as they are released, they are the least qualified to deal with problems caused by buggy patches. Yet, leaving their computers vulnerable to newly discovered bugs is risky too.

Many people recommend that non-techies let Windows automatically install patches as they are released. To recommend this is to trust Microsoft a bit more than I do. But, if the computer is used for non-essential things, and being without it for a period of time is no big deal, then installing patches automatically is the way to go. If the computer in question is used by children a lot, then again, installing patches immediately is probably the best approach.

But, some non-technical users make their living using a Windows computer, and they can't take the risk of a buggy patch causing a problem for which a fix may be days away. These people are probably better off waiting until a computer nerd can assist them, even if means being vulnerable to a newly discovered bug.

Patching For Techies

If you have the technical skill and the inclination, then I suggest turning off all the automatic processing offered by Windows/Microsoft Update. Don't even let it check for updates without downloading them. On top of this, I would also disable the underlying Automatic Updates Windows service (In XP, Control Panel -> Administrative Tools -> Services).

Once a month, I would enable and run Windows/Microsoft Update manually, then immediately disable it again.

When to run it? Installing patches a few days after Patch Tuesday gives Microsoft time to fix or withdraw any patches that caused widespread problems. Sometimes patches can be easily un-installed, but not always. Unless you make a disk image backup beforehand, I'd be very wary of installing patches on Patch Tuesday.

The classic trade-off has always been between security and convenience. Manually running Windows Update once a month is, admittedly, a nuisance.

To run a completely disabled instance of Windows/Microsoft Update in XP, you start by enabling the Automatic Updates service. This requires both setting it to start Automatically (note that it must be set to an "Automatic" startup, for some reason "Manual" is treated the same as disabled) and then manually starting it. Then run the update, selecting "Custom" rather than "Express" processing (see above). Before shutting down Windows, stop and disable the Automatic Updates service again. The Background Intelligent Transfer Service can be left at Manual startup at all times.

Disabling the Automatic Updates service has two added benefits. The minor one is that it enables XP to start up a bit faster.

The major one is that it also helps to protect you from Microsoft, which last September, forced updates on computers that were configured not to be automatically updated. I blogged about this at the time, see Windows is spyware and Defending yourself against Microsoft. I also recommend reading the September 13, 2007 edition of the Windows Secrets newsletter, specifically the lead article by Scott Dunn, Microsoft updates Windows without users' consent.

On a related note, as I wrote in April, Windows XP users should not be in a rush to install Service Pack 3. In fact, if someone suggested installing SP3 soon after it was released - don't take advice from them in the future. The problems that cropped up after its release were as predictable as the sun rising in the morning and the benefits are, by all accounts, minimal.

Patching Other Software

But what about the tons of other software, besides the operating system, that also needs to be patched?

In the Windows world this is a mess, if not a disgrace. Every software company re-invents the wheel when it comes to updating their software.

I'm not a Mac person, but I believe the situation is basically the same there, Apple's equivalent to Windows Update only updates Apple software. Linux has great potential in this area but I'm not familiar enough with it to judge if the potential is being realized. I do know that a number of Linux distros resisted my attempts to figure out how to update software. At least Windows Update is simple as easy to use, even in manual mode. Recently, a copy of gOS running a new computer totally refused to update anything and the error messages were of little help.

Macs and PCs will always be unreliable without a single patch delivery system for all the installed software.

In the meantime, some businesses make due with assorted commercial products that install patches to a wide range of software. A large computer company has home-grown software for doing this on the machines of employees. Home users have the Secunia Online Software Inspector; flawed though it is, you're much better off using it than avoiding it. FileHippo has a free update checker for Windows machines, but it is in beta test and requires .NET framework version 2. CNET offers VersionTracker, but it is not well rated by the 387 users that rated it.

In the long run this argues for Software as a Service, if for no other reason than, as in the mainframe world, experts oversee the patch process rather than normal, non-techie users. It may also lead to some type of virtualized desktop, again, motivated by the need to increase reliability by controlling software installations. Personally, I'm a huge fan of portable applications, that is, software that can run without being installed (www.portableapps.com has a great collection). And while I'm not a big fan of software like GoBack to rollback system activity, it may justify itself by being able to undo any software installation, be it a patch or not.

Personal computing is a young field and the way patches are handled, shows all too clearly that this is still the Fred Flintstone era.

*NOTE: What Windows people refer to as a "patch" or "update", mainframe people refer to as a PTF - Program Temporary Fix.

See a summary of all my Defensive Computing postings.