.NET Framework 1.x and 2.x - End of life

Secunia PSI 3.x is warning me about end of life of Microsoft Framework
..NET 1.x (32-bit) and 2.x (32- bit and 64-bit). 'click to update' leads
me to https://www.microsoft.com/net/download/framework

Weird thing is: Geek Uninstaller, Revo Uninstaller and Program and
Features only show 1.1 and 4.6.1 installed. Where PSI states I have 1.x,
2.x (32 and 64 bit), 3.x /and/ 4.x installed.

I have no idea which programs need 1.x and 2.x. I can delete 1.x with
Program and Features (or use Geek or Revo), but I have no clue on how to
get rid of 2.x. There's a Cleanup Tool he

https://blogs.msdn.microsoft.com/astebner/2008/08/28/net-framework-cleanup-tool-users-guide/

But there's a warning to only use it as a _last resort_.

I did some research, but not many useful results, so I'm a bit clueless
atm. I can use Macrium Reflect to create a backup image and see what
happens when I remove 1.1 (is this advised?), but how to proceed with
2.x? I can imagine that *not* removing both versions is a safety risk.
(?)

Any help will be appreciated.

--
s|b

s|b wrote:

Secunia PSI 3.x is warning me about end of life of Microsoft Framework
.NET 1.x (32-bit) and 2.x (32- bit and 64-bit). 'click to update' leads
me to https://www.microsoft.com/net/download/framework

Weird thing is: Geek Uninstaller, Revo Uninstaller and Program and
Features only show 1.1 and 4.6.1 installed. Where PSI states I have 1.x,
2.x (32 and 64 bit), 3.x /and/ 4.x installed.

I have no idea which programs need 1.x and 2.x. I can delete 1.x with
Program and Features (or use Geek or Revo), but I have no clue on how to
get rid of 2.x. There's a Cleanup Tool he

https://blogs.msdn.microsoft.com/astebner/2008/08/28/net-framework-cleanup-tool-users-guide/

But there's a warning to only use it as a _last resort_.

I did some research, but not many useful results, so I'm a bit clueless
atm. I can use Macrium Reflect to create a backup image and see what
happens when I remove 1.1 (is this advised?), but how to proceed with
2.x? I can imagine that *not* removing both versions is a safety risk.
(?)

Any help will be appreciated.

I don't get rid of old software just because PSI bitched that they were
unsupported. Yeah, big deal. Being unsupported does NOT mean they are
vulnerable. Even if they were, something would actually have to use
that vulnerability. This is like no one is home and a window was open
and someone happens to walk by with an raw egg to hurl in hoping it goes
through the window despite my guard dogs are outside trying to get at
the candidate attacker (my antivirus).

When I used PSI, it would bitch that SamSpade was vulnerable. Nope, not
vulnerable, just old. You won't know which of your programs require the
old .Net version until you remove them and later try to run those
programs. There is no backward linkage from any library to indicate who
might want to use it.

If you want to see what .Net versions are installed, read:

https://msdn.microsoft.com/en-us/lib...v=vs.110).aspx

"s|b" wrote

| I have no idea which programs need 1.x and 2.x. I can delete 1.x with
| Program and Features (or use Geek or Revo), but I have no clue on how to
| get rid of 2.x.

V. 2 was the standard for a long time. People
were having a lot of trouble because the Frameworks
were getting massively bloated and it wasn't always
easy to get software customers to install them.
(I only have any .Net at all on my XP box because I
had to install it for the graphics applet and the printer.
To this day I've never installed either .Net or Java
software.)

Microsoft dealt with the problem of lacking .Net support
in two ways:

1) They moved toward installers that would go online
secretively, installing .Net runtimes without asking.
(Though I don't know the exact details of who pushed
that approach and when.)

2) MS started offering "backward targetting". Visual
Studio was allowing people to target the v. 2 runtime
in order to extend compatibility and reduce the number
of people who would need to install a new version. (Again,
I don't remember the dates when it was common to
target v. 2.) In other words, people writing software
with later versions of .Net had the option to make their
software v. 2-based, as long as they didn't need functionality
specific to v. 3, 4, or whatever. So if you have any .Net
software it may be .Net 2-based.

I wrote a tool some time ago to check .Net dependencies.
It was mainly designed to see whether one can afford to
remove .Net, and it was mainly targetted at XP, where any
..Net at all was optional and generally not necessary:

http://www.jsware.net/jsware/scrfiles.php5#peops

You can try that tool if you want. It just goes through
files, reading the headers of executables to see
if they have a .Net dependency. But it's probably not
necessary. The older versions of .Net are smaller and
harm nothing by being installed. While in later years MS
started forcing the whole thing onto people by pre-installing
the runtimes.

What does all that mean? If it's even true that .Net 1 & 2
are being "end-of-lifed" then I suspect it's probably just
a way for Microsoft to push developers not to support
XP and Vista, as part of their desperate effort to make
Win10 the current version in more minds than their own.
And I can't think of any reason to remove v. 2. I think it's
only about 70 MB. Considering that Win7 is a bloated pig
weighing in at 7-9 GB to start off, and growing from there,
and later .Net versions are far more bloated than 1 & 2,
there's no notable saving in removing that 70 MB.

There have been some security problems with .Net, but
there's no reason to allow it online. And Silverlight has
actually been the main problem. And you can't remove all
of .Net from Win7, anyway.

Note that end-of-lifing a runtime is unprecedented and
really means nothing. As of Win10, VB6, which dates to
1998, still has its runtime pre-installed. Microsoft stopped
pre-installing the VB5 runtime, but it can be installed if people
want to run VB5 software. There's no such thing as an "end
of life" for it because it's not something that gets regular
patches in the first place. A similar case holds with Visual
C++, the most common tool for writing Windows software.
The VC++ 6 runtime is still pre-installed, even though there
hasn't been a new version for many years and Visual Studio 6
has not been supported for many years. They stick around
because Microsoft's main customer is business and businesses
have used these tools to write in-house Desktop software
that needs to be supported. (Such as custom database programs.)

.Net, by contrast, was never a success on the Desktop. It's
a tool for server-side applets on corporate intranets, like Java.
Microsoft originally envisioned also using it for "web services",
starting in 2001, but web services never took off. So MS
pretended .Net was for normal software, which it wasn't. In
2005 they tried to make a version of Windows (Longhorn) that
would be .Net-based. It was the precursor to Metro, running
..Net trinkets in a sandbox. But Longhorn was such an inefficient
pig that they had to give up at the last minute -- which is why
Vista was years late and rough around the edges. .Net is
essentially a superfluous, bloated wrapper around the Windows
API (Windows functions used by software) and as the Microsofties
put it at the time, there didn't yet exist hardware in 2005 that
could handle such a bloated load on resources.


By the time web services really became a thing, they were
being done mainly with script. Even Adobe AIR, Flash and
Silverlight turned out to be overkill for what was needed. So
..Net was used chiefly by MS partners who were apparently
pushed into it. Thus, you may need any, or all, or none of
the .Net versions. And there's little benefit on Win7+ in removing
any of them.

s|b wrote:
Secunia PSI 3.x is warning me about end of life of Microsoft Framework
.NET 1.x (32-bit) and 2.x (32- bit and 64-bit). 'click to update' leads
me to https://www.microsoft.com/net/download/framework

Weird thing is: Geek Uninstaller, Revo Uninstaller and Program and
Features only show 1.1 and 4.6.1 installed. Where PSI states I have 1.x,
2.x (32 and 64 bit), 3.x /and/ 4.x installed.

I have no idea which programs need 1.x and 2.x. I can delete 1.x with
Program and Features (or use Geek or Revo), but I have no clue on how to
get rid of 2.x. There's a Cleanup Tool he

https://blogs.msdn.microsoft.com/astebner/2008/08/28/net-framework-cleanup-tool-users-guide/

But there's a warning to only use it as a _last resort_.

I did some research, but not many useful results, so I'm a bit clueless
atm. I can use Macrium Reflect to create a backup image and see what
happens when I remove 1.1 (is this advised?), but how to proceed with
2.x? I can imagine that *not* removing both versions is a safety risk.
(?)

Any help will be appreciated.


I don't know if I can successfully describe the relationships
or not any more. So this is just a best guess.

Some layers are installed (by default) as part of the OS.
And some are add-ons (a tick box in Programs and Features, or otherwise).
Some are pushed relentlessly by Windows Update.

https://en.wikipedia.org/wiki/.NET_Framework

Public CLR (electronic) Built-In ???
Version Version

1.0 1.0 Yadda
1.1 1.1 Yadda
* * * * * * * *
2.0 2.0 ...
3.0 2.0
3.5 2.0 Windows 7
* * * * * * * *
4.0 4.0
4.5 4.0 Windows 8
4.5.1 4.0 Windows 8.1
4.5.2 4.0
4.6 4.0 Windows 10

It doesn't really make sense for Microsoft (or anyone else)
to manage the 2/3/3.5 set separately. They should really
live or die as a set. For the 4 series, some are considered
to supersede others. The 2/3/3.5 set do not supersede one
another, and they sit on top of one another.

The libraries have a CLR version. Version 1.0 and 1.1 are
pretty old, and orphan.

The 2.0, 3.0, 3.5 are a "set", intended to take the place
of 1.0 or 1.1. However, older software, coded using 1.0 or 1.1,
does not automatically get updated. If you want such old software
to work, you would keep those old versions in place. You cannot
make a 1.0 or 1.1 program work, by merely installing 2.0.

So 2.0, 3.0, 3.5 give a developer an opportunity to re-compile
against the newer stuff. If your software was abandoned, this might
not be possible (or available for purchase).

When we get to 4.0 or higher (up to 4.6.1), I don't
really know what the relationship is. Obviously, new
software can be compiled against 4.0. You can apparently
install a higher version, which might supersede 4.0 . And
this is a departure from how previous layers in the cake worked.

Versions 2.0, 3.0, 3.5 were layers is a software stack.

Maybe 4.0 involved something like multithreading or
multiprocessing. But part of the reason for the upper
ones to exist, is to "obsolete" older OSes which can
no longer have those installed. That appears to be
their only purpose, as near as I can tell. The latest
versions seem to be used as "gates".

I would first have to determine, how 1.1 got onto the machine,
before I could remove it. For 2.0, 3.0, 3.5, I don't
really think it's all that practical to ditch them.
For example, the ATI CCC control panel uses 2.0 (or higher).
Maybe the last one I installed (a CCC2 driver) needed 4+.

In theory, you could scan the machine for CLR version of
each .NET executables.

Another possibility, would be an NGEN log, if it generates one.
Any time .NET is updated with a security patch, assemblies are
recompiled on the spot. This isn't absolutely necessary, as
an assembly can be "recompiled on demand", but you will find
cases where it has an adverse affect on performance. For example,
maybe your Windows Firewall won't start, because it happens to use
..NET, needs to be recompiled, but for whatever reason, it's not
happening. The ngen program can be used to trigger recompilation
of known assemblies. If this process throws errors (for whatever
reason) the errors are ignored, as this is mostly a "best effort"
operation. Re-compilation means not having to do it at runtime,
so an assembly can start faster. Maybe if these things didn't
"jam", I wouldn't need to know the details :-(

Note - you cannot remove the "built-in" version. Say an OS
shipped with 3.5 - then if the .NET library "breaks" and
won't pass Aaron Stebner's program that tests the libraries,
you'd need to do a DISM RestoreHealth, an SFC ScanNow, or
a repair install or something. You should not be able to
use Stebners "cleaner" to remove the built-in either. And
this is because parts of Windows rely on those, and Windows
is compiled against them.

You will notice in this exercise, that nobody thought
about the end user, in the least. All I can wish you is...

Good luck,
Paul

In message , s|b
writes:
[]
get rid of 2.x. There's a Cleanup Tool he

https://blogs.msdn.microsoft.com/ast...framework-clea
nup-tool-users-guide/

But there's a warning to only use it as a _last resort_.
[]
I have used a .net cleanup tool; I can't remember if it was that one,
but I believe (a) it _was_ from Microsoft, (b) from some sort of forum
or blog, so it probably was.

It was a very tedious process, but if followed exactly, _did_ remove all
trace of .net; you had to install all of it (that you wanted) again
afterwards.

I'd be inclined to agree - last resort only. (It took _ages_.) Read what
Paul and VanguardLH have to say.

I wouldn't worry about "end of life"; as others have said, it's pretty
meaningless for .net, as it doesn't receive updates anyway. I have a
valve wireless (tube radio receiver) for which even the companies who
made the valves/tubes passed their end of life years ago (possibly some
before I was born), but it still works fine (-:
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

By most scientific estimates sustained, useful fusion is ten years in
the future - and will be ten years in the future for the next fifty
years or more. - "Hamadryad", ~2016-4-4

On Mon, 03 Apr 2017 21:26:34 +0200, s|b wrote:

Any help will be appreciated.

So I've read pretty much every follow-up (my head is spinning) and I
think the safest thing to do is ignore PSI and leave things how they
are.

I've set up PSI to ignore those versions of .NET and now I have a
perfect score of 100% again. :-)

--
s|b

s|b wrote:

So I've read pretty much every follow-up (my head is spinning) and I
think the safest thing to do is ignore PSI and leave things how they
are.

I've set up PSI to ignore those versions of .NET and now I have a
perfect score of 100% again. :-)

Be careful about such scoring. Belarc Advisor also has their scoring on
how secure is your system. If you follow all or even some of their
suggestions, things will break. For example, they recommended changing
to FIPS for encryption but made very HTTPS web site inaccesible. I
could not figure out why "all of sudden" I could not visit any HTTPS web
site until I recalled a day before of making the Belarc Advisor
suggested change. Undid that and, voila, HTTPS sites worked again.
They also tell me that I should configure Windows to auto-expire all
Windows account passwords. No thanks. I'm the only one that has
physical access to it but ignoring their suggestions results in a lower
"security score".

While the libs won't tell you who used them, Mayayana mentioned a tool
that crawls through files looking for lib calls to those .NET libs.
That way, you could tell if you have any programs that use them. If not
then I'd uninstall the old .NET libs since they aren't being used and
just wasting disk space - and products, like PSI, alarm their users
about trivials. I thought there might be a deficiency in that tool as
it scans executables for the exports (lib calls). For a long time now,
developers have made their .exe files smaller by moving functions out
into a .dll file. The calls to the .NET libs may be in the DLLs instead
of back in the main .exe. However, for its .NET scanner, they also look
inside the DLLs (probably by listing their imports). There are other
dependency walkers (e.g., http://www.dependencywalker.com/); however,
they show all dependencies, not just those targeting .NET libs.

VanguardLH wrote:
s|b wrote:

So I've read pretty much every follow-up (my head is spinning) and I
think the safest thing to do is ignore PSI and leave things how they
are.

I've set up PSI to ignore those versions of .NET and now I have a
perfect score of 100% again. :-)


I thought that PSI was no longer being updated and we were to switch to
another source.

--
Zaidy036

Zaidy036 wrote:

I thought that PSI was no longer being updated and we were to switch to
another source.

Secunia got acquired by FlexeraSoft.
http://www.infoworld.com/article/298...-software.html
http://www.crn.com/news/security/300...management.htm

Sometimes when an enterprise-oriented company acquires another that the
consumer-oriented products of the prior company end up as only
enterprise-grade products. The acquirer isn't interested in the
consumer market. Another aspect of the tool is that it must phone home
to divulge your software repository to them. This lets them aggregate
data on what software their customers are using.

I don't recall having to divulge an e-mail address to get the PSI
download - but you do now. So make sure to use a temporary (disposable)
one or an alias (that is truly an alias and not some prepended string
onto your existing username).

The latest version that I can get from somewhere OTHER than Flexera
(http://www.softpedia.com/get/System/...nspector.shtml)
is dated back to Feb 2, 2016 for version 3.0.0.11005. download.com
won't tell me what version they offer for download, and the offered file
does not include a version substring in its filename. The download from
Flexera's site also has no version shown in the download filename. I
donwload their file and use Peazip to open the .exe as an archive.
Didn't find anything inside that told me what version was that software.
I did notice their Readme.rtf file listed Windows 7 as the latest
supported OS yet their web site claims Windows 8 and 10 are supported.
Considering the download is only 3.8 MB in size, it is likely a web
installer: a stub of code to connect back to them to then retrieve the
real product. Could be the program is small since it relies on
retrieving info from their servers for it to work. The datestamps of
the files in the .exe were dated back to Nov 2015 with the sua.exe file
dated Feb 2016.

https://secuniaresearch.flexerasoftw...port/download/

According to Flexera's page, version 3.0 is the latest version available
for their acquired PSI product. Well, as mentioned above, that was back
in Feb 2016 with most of the installer files dated much older.

That would be the program version. I don't know what is their latest
version from the Flexera web site because they don't tell you what they
will download to you. Although there may have been no further program
updates, that does not preclude database updates on software, their
versions, age, etc., that gets retrieved by their program when it phones
home. "To function correctly Personal Software Inspector needs to be
able to connect to our servers." If you don't have an Internet
connection or allow PSI to connect to their servers, PSI won't work.
Their FAQ doesn't say the program will continue using the previously
retrieved database until whenever it can later retrieve an updated one.
They say PSI won't work ("won't load the interface or complete
scanning") without an Internet connection.

I suspect that I last trialed PSI before the acquisition so it's been
awhile. However, from the OP's message, still sounds like they bitch
about old software. They bitch because it is old, not because it was or
is vulnerable (and under YOUR current deployment of it). End-of-life or
abandoned does NOT equate to vulnerable. Secunia, now Flexera, does not
know if the old software is vulnerable. They're just scaring you about
something that's old and will no longer be included in their database to
show an update schedule.

I consider Secunia PSI like I do for driver update notification
softwa they break too many computers. Stuff that was working before
gets broke with the introduction of new code, the new code has its own
bugs and vulnerabilities, and for changed behaviors or even losing some
features previously available. Fixing something that is not broke may
end up breaking it. Instead of relying on wasting memory and CPU cycles
along with bandwidth on alarms (too many of which are false) about out
of date software (which is what PSI measures, not whether the old
version is actually vulnerable or broken), I allocate my own selected
time for when I save an image backup and review my software to see which
ones have updates and of those which ones I want to update. I'm the
admin of my computer so I do that job, not relegate it fixed code
decided by someone else guessing what should get updated.

On Tue, 4 Apr 2017 14:30:56 -0500, VanguardLH wrote:

Be careful about such scoring. Belarc Advisor also has their scoring on
how secure is your system. If you follow all or even some of their
suggestions, things will break.

I don't use Belarc Advisor and so far, I haven't caused any problems by
following Secunia's advice. But I will keep the warning in mind.

For example [Belarc Advisor]

I haven't tried Belarc, but based on your experience I think I'll pass.

--
s|b

On Wed, 5 Apr 2017 05:48:10 -0000 (UTC), Zaidy036 wrote:

I thought that PSI was no longer being updated and we were to switch to
another source.

I got a warning version 2.x was end of life, so I switched to 3.x which
is still working.

--
s|b

s|b wrote:

I haven't tried Belarc, but based on your experience I think I'll pass.

I don't use Belarc Advisor for its security scoring (for the reasons
given). I do use it as a more convenient means to list all the updates
applied to my computer plus it gives me the product and license keys for
several programs. I use it for information only, not for tweaking.

Nothing mandates that you use all features of a program. Hell, MS Word
users often only touch about a third, if that much, of its features.

In message , VanguardLH
writes:
s|b wrote:

I haven't tried Belarc, but based on your experience I think I'll pass.

I don't use Belarc Advisor for its security scoring (for the reasons
given). I do use it as a more convenient means to list all the updates
applied to my computer plus it gives me the product and license keys for
several programs. I use it for information only, not for tweaking.

Nothing mandates that you use all features of a program. Hell, MS Word
users often only touch about a third, if that much, of its features.

+1. I ignore Belarc's security advisories (as I do most - I wouldn't be
using an XP computer, would I ... [yes I know where I'm writing this]).
But I find Belarc very handy for getting a reasonably accurate summary
of the hardware (including, e. g., memory - not just total, but how many
sticks of what capacity each), as well as software summaries, and as VLH
says, some keys.

It's not foolproof (e. g. some software-created hardware can be shown as
hardware, and some hardware with the wrong drivers can appear as the
hardware the drivers are for), but reasonably good (and of course free).
The _format_ of the report is also somewhat pleasing to me.
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

What is the point of a really good degree, if you're just like Harold Wilson?
That really cut me down to size. - Sister Wendy Becket, on DIDs 2012-12-16
(She, like he, got one of the best degrees at Oxford in her year.)

On Thu, 6 Apr 2017 13:45:08 -0500, VanguardLH wrote:

s|b wrote:

I haven't tried Belarc, but based on your experience I think I'll pass.

I don't use Belarc Advisor for its security scoring (for the reasons
given). I do use it as a more convenient means to list all the updates
applied to my computer plus it gives me the product and license keys for
several programs. I use it for information only, not for tweaking.


Ditto.


Nothing mandates that you use all features of a program. Hell, MS Word
users often only touch about a third, if that much, of its features.


For programs of almost any complexity at all, there is probably nobody
who uses all their features.