Hi @ll, on all but their latest versions of Windows (which Microsoft ships with .NET Framework 4.x), Microsoft shoves COMPLETELY NEW versions of .NET Framework via Windows/Automatic Updates onto the PERSONAL computers of their unsuspecting users^Wcustomers, even and especially when those customers^Wpoor victims have NOT A SINGLE application installed which needs .NET Framework at all, and installs them without asking or even informing their customers, SILENTLY! Trustworthy computing? NOPE! In detail: * Users of Windows 2000 got .NET Framework 1.1, then 2.0 and 3.0 shoved onto their computers, SILENTLY! JFTR: .NET Framework 2.0 is NOT an update to .NET Framework 1.x, but a COMPLETELY new and incompatible version, which gets installed aside a previous version. * Users of Windows XP got and users of Windows Embedded POSReady 2009 still get .NET Framework 2.0, then 3.0, 3.5, 3.5.1 and 4.0 shoved onto computers, SILENTLY! JFTR: neither Windows 2000 nor Windows XP shipped with any version of .NET Framework. Especially with these versions of Windows, pushing .NET Framework as "Update" is an euphemism. JFTR: .NET Framework 4.x is NOT an update to any prior version of .NET Framework, but a COMPLETELY new and incompatible version, which gets installed aside previous versions. At least Microsoft continued to use the euphemism "Update". * Users of Windows Server 2003 and Windows Server 2003 R2 got .NET Framework 2.0, then 3.0, 3.5, 3.5.1 and 4.0 shoved onto computers, SILENTLY! JFTR: Windows Server 2003 shipped with .NET Framework 1.1, and Windows Server 2003 R2 with both .NET Framework 1.1 and 2.0. * Users of Windows Vista got, and users of Windows Server 2008 still get .NET Framework 3.5, 4.0, 4.0.1, 4.5, 4.5.1, 4.5.2 and 4.6 shoved onto computers, SILENTLY! JFTR: both versions of Windows shipped with .NET Framework 3.0, for which 3.5 may be considered an update. * Users of Windows 7 as well as users of Windows Server 2008 R2 still get .NET Framework 4.0, 4.0.1, 4.5, 4.5.1, 4.5.2, 4.6, 4.6.1, 4.6.1, 4.7 and 4.7.1 shoved onto computers, SILENTLY! JFTR: both versions of Windows shipped with .NET Framework 3.5.1. Every installed version of .NET Framework enlarges the attack surface of Windows, SIGNIFICANTLY, and contains multiple known vulnerabilities Microsoft WON'T FIX, for example: * the (update) installers of EVERY version of .NET are vulnerable to DLL hijacking and allow to perform escalation of privilege: see * all versions of .NET Framework are vulnerable to DLL hijacking and allow a trivial to perform escalation of privilege: see Mitigation: ~~~~~~~~~~~ To block WU/AU from shoving .NET Framework 4.x SILENTLY to your computer, see the MSKB articles , , , , and : then create the following *.REG and import it. --- *.REG --- REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\WU] "BlockNetFramework4"=dword:00000001 "BlockNetFramework45"=dword:00000001 "BlockNetFramework451"=dword:00000001 "BlockNetFramework452"=dword:00000001 "BlockNetFramework46"=dword:00000001 "BlockNetFramework461"=dword:00000001 "BlockNetFramework462"=dword:00000001 "BlockNetFramework47"=dword:00000001 "BlockNetFramework471"=dword:00000001 --- EOF --- To block earlier versions, see the MSKB articles , and . stay tuned Stefan Kanthak PS: Microsoft implemented .NET Framework in Windows NT in a TOTALLY flawed and wrong way: if done right, it were an NT subsystem, like the "Subsystem for OS/2", the POSIX subsystem, the "Subsystem for UNIX Applications", the "Windows Subsystem for Linux" or Windows itself.