Windows NT 4.0 Service Pack and Hotfixes Reference.


Occasionally Microsoft issue a series of corrections and / or additions to an operating system after it's commercial release. The purpose of these additional patches is to:
  1. Remove a security exploit or vulnerability.
  2. Correct bugs or oversights in the original design of the Operating System.
  3. Enhance support for existing hardware or add support for new hardware produced after the OS release.
  4. Change the way hardware is supported to allow for unexpected behaviour.
  5. To change the way in which information in the OS is presented to ease operation, configuration or setup.
These patches are normally referred to as a "Service Pack" or "Hotfix". A Service Pack is a major package which often corrects or changes hundreds of OS items simultaneously. A Hotfix is usually aimed at correcting only one, or a small number of items. In some instances, several hotfixes may be combined into a package referred to as a "Rollup".

For a more detailed summary of the terminology used by Microsoft to describe the types of patches and their ranking of importance see Knowledgebase article 824684 - Description of the Standard Terminology That is Used to Describe Microsoft Software Updates.

Service Packs are ALWAYS cumulative - that is, it is only necessary that you apply the most recently released one for your Operating System - all revisions which existed in previous Service Packs are included in the latest release. Hotfixes and Rollups are NOT cumulative and must be individually applied to a system - the order in which they are applied is also important.

A Service Pack, Hotfix or Rollup will automatically update all necessary files on the system - it is not necessary for you to manually copy, rename or delete any system files during their application. After the update completes, a shutdown and restart will occur to finalise the file replacements. This is required to allow NT to replace files that were in use or otherwise locked whilst the system is running.

NT 4.0 and Service Pack Status:

The table below outlines the history of Windows NT 4.0. The dates apply to all "flavours" including Server, Workstation, Terminal Server Edition and Enterprise Edition unless otherwise noted.

TitleDate ReleasedSupport Ceased
Windows NT 4.0 OS (Build 1381)29 July 199631 December 2004 - See Note Below
Service Pack 116 October 199614 March 1997
Service Pack 214 December 199615 August 1997
Service Pack 315 May 199725 January 1999
Service Pack 425 October 19984 August 1999
Service Pack 54 May 199930 February 2000
Service Pack 6a30 November 199930 June 2004 - See Note Below
Post SP6a Security Rollup (SRP)26 July 200130 June 2004 - See Note Below

Note: SECURITY ONLY hotfix support extended to 31 December 2004 for all versions EXCEPT Workstation. All support for Workstation ended on 30 Jun 2004. For further information, see these notes.

The current revision level for Windows NT 4.0 Workstation and Server is Service Pack 6a. To see what problems have been addressed in this and previous service packs, look at the following Knowledgebase articles:

For reference, here are the counts of the number of issues addressed by each Service Pack released to date for NT 4.0:

Service Pack Bug Counts
Service PackIssues Addressed
Service Pack 19
Service Pack 2142
Service Pack 3181
Service Pack 4713
Service Pack 5239
Service Pack 6/6a278
Post SP6a SRP53

To verify your current Service Pack level do the following:

If the dialogue box presented includes the text "Revised Service Pack 6a" then it has already been applied to the system. For a more details and other methods to confirm what Service Pack has been installed see Microsoft Knowledgebase article 132475 - Determining If a Service Pack Has Been Installed.

After Service Pack 6a is applied, you can then make your way through the list of hotfixes presented in the table below. My suggestion is to stick to the order presented unless you have good reasons for changing it. Most of the hotfixes are SECURITY related. If you have doubts about a vulnerability consult the relevant Security Bulletin from Microsoft (also a "clickable" link in the table) for details.

WARNING: If you add software to your system:

it may be necessary to repeat the installation of the Service Pack and hotfixes.

Failure to follow correct procedure may result in STOP errors. To avoid this situation reapply the required Service Pack, Hotfixes and / or Rollups immediately after the original files have been copied from the NT 4.0 master CD and BEFORE the system is rebooted. If in doubt, ask for guidance.

A good file tracking application like FileImg from the Windows NT 4.0 Resource kit can simplify matters by making it clear whether anything on the base OS install has been modified or regressed.

If you want to check which hotfixes are installed on a system I recommend "PSInfo", part of the PSTools package from SysInternals.

Check Security Status:

Bear Windows has written an excellent article on how to use MBSA (Microsoft Baseline Security Analyser) on NT4.0 systems. MBSA checks the security and patch status of many Windows components, not just the Operating System itself. It is located at: "Problem 12: How to control security patches and critical updates installed in Windows NT/2K/XP/2003"

Secunia run an excellent web site that tracks known vulnerbilities in computer software (including Operating Systems), their seriousness, and patches to correct the problems. Here are the links for Windows NT4.0:

Recommended Reading:

I suggest you consult the following Knowledgebase articles for a more detailed explanation of what problems you may encounter when applying Service Packs or Hotfixes (items in Bold are important): If the machine had NT 4.0 installed using the "unattended" method, it is also recommended that you heed the warning published in Microsoft Security Bulletin MS99-036 - Windows NT 4.0 Does Not Delete Unattended Installation File.

How to Use This List:

The numbers of the Knowledgebase articles presented are "clickable" links that will open the full text of the item (by going to the Support site at in a NEW browser window. Close the window to return to this site.

Colour coding is used to signify the level of danger an unpatched system may encounter as follows:

Notes may detail means by which the vulnerability can be lessened or negated.
PinkCRITICALIt is VITAL that this patch be installed to ensure system safety.
Light GreyRequiredPatch is STRONGLY recommended.
Light YellowOptionalThis patch may be important, but is only required in specific circumstances as detailed in the Notes.

You can download the required patch from the Microsoft servers using the supplied link on the relevant Knowledgebase page. Hotfixes that have been obsoleted by more recent patches are NOT mentioned in this list, and do not have to be applied.

Please read the notes relating to the Service Pack or Hotfix before applying it to your system. In some cases, failure to follow the correct procedure when applying a patch may lead to an unbootable system.

Article NumberTitleSecurity BulletinNotes
242294MS99-041: Security Descriptor Allows Priviledge Elevation on Remote ComputersMS99-041None
244599Fixes Required in TCSEC C2 Security Evaluation Configuration for Windows NT 4.0 Service Pack 6aNoneApply Service Pack 6a First
246009Windows NT 4.0 Service Pack 6a AvailableNoneNone
258437FIX: GetEffectiveRightsFromAcl() Fails in Service Pack 6NoneApply Service Pack 6a First
272386Upgrade Prompt for Windows Media Player Appears ContinuallyNoneOnly Required if Media Player V6.4 Installed - Manual Registry Patch
299444Post Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)Additional Information BelowRequires Service Pack 6a First - Caution: See KB Articles 305462, 305929, 307866, 318420 and 326248 Before Applying
300987Windows NT 4.0 Winbond Super I/O Floppy Disk Controller May Not Report Data Underrun or Overrun Condition CorrectlyNoneOnly Required for Hardware Specified
304158Patch for "HyperTerminal Buffer Overflow" Vulnerability in Windows NT 4.0MS00-079Only Required if HyperTerminal Accessory is Installed
307866You Cannot Log On to the Computer After You Run a Repair Process if SRP is InstalledNoneCaution: Ensure This Hotfix Applied After Security Rollup 299444
314147MS02-006: An Unchecked Buffer in the SNMP Service May Allow Code to RunMS02-006Only Required if SNMP Service is Installed
318138MS02-029: Unchecked Buffer in Remote Access Service Phonebook Allows Code to RunMS02-029None
320206MS02-024: Authentication Flaw in Windows Debugger Can Cause Elevated PrivilegesMS02-024None
320920MS02-032: Windows Media Player Rollup AvailableMS02-032Only Required if Media Player V6.4 Installed - This Patch Supersedes and Totally Replaces 308567, 320944, 321678
Manual Registry Patches Required - See KB Articles 272386 and 320944 for further details
323172Flaw in Certificate Enrolment Control May Cause Digital Certificates to be DeletedMS02-048None
323255MS02-055: Unchecked Buffer in Windows Help Facility May Allow Attacker to Run CodeMS02-055Only Required if Hypertext Help Facility Installed
326830MS02-045: Unchecked Buffer in Network Share Provider May Lead to Denial-of-ServiceMS02-045None
331953MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service AttacksMS03-010Caution: No Available Patch for NT 4.0 - Ensure Port 135 is blocked by Firewall
810833Unchecked Buffer in the Locator Service Might Permit Code to RunMS03-001None
814078MS03-008: Flaw in Windows Script Engine May Allow Code to RunMS03-008Only Required if Microsoft Java Virtual Machine Installed
815021MS03-007: Unchecked Buffer in Windows Component May Cause Web Server Compromise (ntdll.dll)MS03-007None
817606MS03-024: Buffer Overrun in Windows Could Lead to Data CorruptionMS03-024None
819696MS03-030: Unchecked Buffer in DirectX Could Enable System CompromiseMS03-030Only Required if Media Player V6.4 or Internet Explorer V6.0 (SP1) Installed
823559MS03-023: Buffer Overrun in the HTML Converter Could Allow Code ExecutionMS03-023Only Required if HTML Authoring Software (eg: Office) Installed
823803MS03-029: A Flaw in a Windows Function Might Allow Denial of ServiceMS03-029Caution: See KB Article 825501 Before Applying - This Patch Refuses to Apply on a Workstation System (See Note 1)
824105MS03-034: Flaw in NetBIOS Could Lead to Information DisclosureMS03-034This Patch Refuses to Apply on a Workstation System (See Note 1)
828035MS03-043: Buffer Overrun in Messenger Service Could Allow Code ExecutionMS03-043Caution: See KB Article 831579 Before Applying
828741MS04-012: Cumulative Update for Microsoft RPC/DCOMMS04-012Danger: Known Security Exploit - Ensure this Hotfix is Applied. This Patch Supersedes and Totally Replaces 823980 (MS03-026) and 824146 (MS03-039)
832353FIX: Some URL Script Commands Do Not Work After You Apply Windows Media Update From Knowledgebase Article 828026NoneOnly Required if Media Player V6.4 Installed. This Patch Supersedes and Totally Replaces 828026
See 828026 for Important Information on Setting Registry Controls
835732MS04-011: Security Update for Microsoft WindowsMS04-011Danger: Critical Security Status - Ensure this Hotfix is Applied. This Patch Supersedes and Totally Replaces 329115 (MS02-050), 328310 (MS02-071), 811493 (MS03-013), 823182 (MS03-041), 824141 (MS03-045) and 828028 (MS04-007)
Caution: See KB Article 841180 and 841384 Before Applying
840987MS04-032: Security Update for Microsoft WindowsMS04-032This Patch Refuses to Apply on a Workstation System (See Note 2)
841356MS04-037: Vulnerability in Windows Shell Could Allow Remote Code ExecutionMS04-037This Patch Supersedes and Totally Replaces 839645 (MS04-024)
841533MS04-031: Vulnerability in NetDDE Could Allow Remote Code ExecutionMS04-031This Patch Refuses to Apply on a Workstation System (See Note 2)
841872MS04-020: A Vulnerability in POSIX Could Allow Code ExecutionMS04-020None
870763MS04-045: Vulnerability in WINS Could Allow Remote Code ExecutionMS04-045Only Required for Server System Providing WINS
873339MS04-043: Vulnerability in HyperTerminal Could Allow Code ExecutionMS04-043Only Required if HyperTerminal Accessory is Installed - This Patch Refuses to Apply on a Workstation System (See Note 2)
873350MS04-029: Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of ServiceMS04-029This Patch Refuses to Apply on a Workstation System (See Note 2)
883935MS04-036: Vulnerability in NNTP Could Allow Code ExecutionMS04-036Only Required for Server System Providing NNTP Service
885249MS04-042: A Vulnerability in DHCP Could Allow Remote Code Execution and Denial of ServiceMS04-042Only Required for Server System Providing DHCP Service
885250MS05-011: Vulnerability in Server Message Block Could Allow Remote Code ExecutionMS05-011Caution: No Available Patch for NT 4.0 - Primary Threat would be from SMB traffic within the LAN
885834MS05-010: Vulnerability in the License Logging Service Could Allow Code ExecutionMS05-010Only Required on a Server System Running Licensing Service
885835MS04-044: Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of PrivilegeMS04-044This Patch Refuses to Apply on a Workstation System (See Note 2)
885836MS04-041: A Vulnerability in WordPad Could Allow Code ExecutionMS04-041This Patch Refuses to Apply on a Workstation System (See Note 2)
890175MS05-001: Vulnerability in HTML Help Could Allow Code ExecutionMS05-001Only Required if Internet Explorer V6.0 or above is Installed
Caution: See KB Articles 892641 and 892675 Before Applying
891711MS05-002: Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code ExecutionMS05-002This Patch Refuses to Apply on a Workstation System (See Note 2)
912919MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code ExecutionMS06-001Caution: No Available Patch for NT 4.0 - Files of Type .wmf should be handled with care
921883MS06-040: Vulnerability in Server Service Could Allow Remote Code ExecutionMS06-040Caution: No Available Patch for NT 4.0 - Ensure TCP Ports 139 and 445 are blocked by Firewall


  1. Microsoft offer a patch for Workstation by making a request by phone or email to customer support. Alternately, see the procedure described here.
  2. These patches are officially "unsupported" by Microsoft for use on a Workstation system. This is merely a commercial decision. The hotfix.inf can be adjusted to override this - see the procedure described here.

Additional Information Regarding the "Post Service Pack 6a Security Rollup" (SRP - Hotfix Q299444):

The Security Rollup (SRP) is a single package which contains the following 53 hotfixes which had been previously released:

Making the Latest Hotfixes Work on Workstation:

<Short political rant follows>
Microsoft have taken the extraordinary position of ending security hotfix support for Workstation 6 months prior to Server. I'm afraid I am left with no option but to conclude that this is a grubby commercial decision in the ongoing campaign of trying to kill NT4 off. If you check the "Product Lifecycle" page at the Microsoft website, you will discover the NT4 (and specifically Workstation) has a remarkably SHORTER OS product lifecycle as compared to the latest releases. (Windows 2000, Windows XP and Windows Server 2003)

To attempt to shorten it's life still further, by denying users access to essential security patches, is unconscionable. It could be argued that it is essential that these hotfixes be applied if at all possible, to lessen any security risks exposed by the "holes" in the OS. It could be further argued that Microsoft, in taking the deliberate step of refusing to offer these patches for Workstation, is attempting to convince customers that the OS is now "unsafe" and should be upgraded. I also believe the timing of these hotfixes is extremely questionable. How convenient it is that such a major raft of serious security flaws are found only 3 months after support has ended.

I consider this further compelling evidence of a deliberate campaign to end Windows NT 4.0 whilst it is still a useful and active participant in general computing.

The reality is that the security hotfixes released after 30 June 2004, and that are supposedly "NT4 Server only", are able to be used on Workstation equally as well. To adjust the patches for use, expand the contents of the downloaded .exe file (using a programme like WinZip) into a convenient folder. Make sure that all the content of the patch is grouped together in this one place. Manually edit the included hotfix.inf file in the package as described here:

Sample Excerpt from a hotfix.inf file: [Version] Signature="$Windows NT$" NtBuildToUpdate=1381 NtMajorVersionToUpdate=4 NtMinorVersionToUpdate=0 NtServicePackVersion=1536 NtMinimumServicePackVersion=1536 HotfixNumber=%HOTFIX_NUMBER% TermServHotfix=0 TermServBuild=419 LanguageType=%LangTypeValue% InstallPlatform=0 ExtendedSupport=1 <=Add This text RequiredFreeSpaceNoUninstall=5 RequiredFreeSpaceWithUninstall=5
Save the amended hotfix.inf in place of the original expanded from the supplied package. Apply the hotfix by simply double-clicking "hotfix.exe". The patch should now execute and apply normally.

ACKNOWLEDGMENT: This technique was first announced in October 2004 by Reed Darsey at I have since independently verified it's accuracy, using Microsoft supplied "Workstation enabled" patches for the items referred to in Knowledgebase articles 823803 and 824105.

Cleaning Up a System After Hotfixes / Service Packs:

When Hotfix.exe or Update.sys replace files on a machine it builds a series of "back out" folders with names in the form $NTUninstallxxxxxx$ (the xxxxxx section is unique for each patch applied and based on the Hotfix number) in the %systemroot% (usually this is \WinNT). When you apply a Service Pack the creation of this "back out" folder is optional, determined by a button you press at the EULA screen of the Service Pack.

WARNING: Microsoft are inconsistent in their creation of "back out" folders. In some instances, uninstall information is placed in a folder in "\Program Files\Uninstall Information" instead.

If you are satisfied that the changes made to your system by Hotfixes and/or Service Packs are stable, and you no longer require the ability to be able to "back out" of the changes, you can remove this uninstall information. This will often free considerable amounts of space in the boot partition. You may simply delete the corresponding $NTUninstall --- $ folder and all it's contents.

The Hotfix / Service Pack also adds an entry in the "Add/Remove Programs" applet of Control Panel. In the interests of not causing future confusion, it is advisable that the uninstall entry be removed from the list, since deletion of the $NTUninstall --- $ folder has rendered the uninstall from Control Panel impossible.

To remove the redundant entries (they take the form of Qxxxxxx or KBxxxxxx) from the "Add/Remove Programs" section of Control Panel, manual editing of the Registry is required. If you unfamiliar with this process, or unsure of what you are doing, seek out experienced assistance. Incorrectly editing the Registry can irreparably damage an NT installation.


Open the registry with RegEdit.exe. Navigate to the key:


Under this key you will find a subkey in the form Qxxxxxx or KBxxxxxx for each Hotfix / Service Pack applied. Delete the appropriate subkey for the hotfix that had it's "back out" folder deleted.

WARNING: Service Packs / Hotfixes / Rollups also add an entry to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix

DO NOT alter this entry in any fashion. These keys list what Hotfixes have been applied. (Programmes like Systems Internals "PSInfo" use this information)

For more information on how a patch is applied using Hotfix.exe and Update.exe see the following Microsoft Knowledgebase articles:


Thanks to Bear Windows, Petros Zimourtopoulos, Taed Wynnell and Roderick Thompson for additions and corrections on this page.

Back to Index

All promotional photographs and advertising material, corporate names and logos, product names, trade names, trademarks and registered trademarks are the property of their respective owners, and are acknowledged as such.
This list is maintained by ZCM Services, Australia. Whilst every care is taken in the preparation of this information, I accept no responsibility for errors or omissions. Use the information presented on this site AT YOUR OWN RISK.
Last Update April 7, 2010 at 9:13 PMAEST.