Some businesses have legitimate reasons to keep using Microsoft's obsolete operating system. But for most, the reasons that companies hold on to Windows XP boil down to not wanting to spend the money to upgrade. That's not a good long-term plan.

For better or worse, Microsoft’s Windows XP is still in use. Indeed, recently you may have been startled to read that the United Kingdom’s newest aircraft carrier, the Queen Elizabeth, runs Windows XP. That particular story wasn’t true, as it turns out, but some of the warship’s construction contractors did use the old operating system.

You likely were willing to accept the QE story because so many businesses are still running Windows XP. Some hold on to the out-of-date OS from pure laziness and cheapness, but others have genuine reasons for sticking with it.

It’s been three years since April 8, 2014, the end of mainstream Windows XP support. But that hasn’t stopped these companies from relying on the software.

Windows XP lives

We all know that the OS is still in use, if for no other reason than discovering a family tech-support emergency in which we are asked to fix a relative’s old computer. However, the exact number of systems that still run Windows XP is a bit hard to pin down; the percentages vary depending on the reports you read.

As of June 2017, Windows XP still has an amazing 7 percent market share, according to U.S.-based analytics vendor Net Applications. This percentage is derived from “data from the browsers of site visitors to our exclusive on-demand network of HitsLink Analytics and SharePost clients,” Net Applications explains, based on its worldwide network of over 40,000 websites.

Irish analytics company StatCounter doesn’t have Windows XP usage quite that high, but at 5 percent market share, Windows XP shows amazing life.

Windows XP remains particularly strong in the People’s Republic of China, where it’s the second most popular desktop operating system (after Windows 7) with 20 percent using the OS. Of these, approximately 90 percent are pirated copies, according to StatCounter. StatCounter’s numbers come from its web analytics service; the company’s tracking code is installed on over 2.5 million sites globally, where it records billions of page views.

In the United States, Windows XP’s use as a desktop OS has been declining. According to the federal Digital Analytics Program's (DAP) analytics page, in the past three months Windows XP was used by only 0.6 percent of users. That’s far less than Net Applications and Statcounter’s global numbers. That may reflect the nature of the sites from which DAP collects web traffic: more than 300 executive branch government domains across 3,800 websites. Most, 81 percent, of site visitors are U.S. citizens.

Even in the U.S., those numbers may disguise the presence of Windows XP systems in business. According to a study, 2017 OS Adoption Trends, conducted by Spiceworks, a Windows help desk company and network of IT professionals, 52 percent of businesses are running at least one Windows XP instance, and the OS is still installed on 14 percent of business computers.

How many computers is that altogether? Some rough calculations put the number over 100 million Windows XP users. Not all of those computers have an Internet connection, but we know that quite a few do.

If it ain’t broke, don’t fix it, and other reasons

Why are there still so many users? One major reason that Windows XP lives on is that it was so popular. The OS had a supported life of almost 13 years—far longer than any other desktop operating system.

“It was one of the first Microsoft operating systems people latched onto,” says Peter Tsai, a Spiceworks senior technology analyst. Even on the eve of its end-of-support death in March 2014, Tsai says, Windows XP still ran “on approximately 30 percent of the more than 1.6 billion PCs in the world.” Do the math: that’s 500 million computers. In addition, he says, “The five-year gap between Windows XP and its unpopular successor, Windows Vista, resulted in an uncommonly large installed base.”

Harvard Business Review: How to get past legacy lock-in and catch up. Get the report

Another reason for Windows XP’s sturdy tenure is the lack of a direct migration path to Windows 10. Windows XP users who are motivated to upgrade must first move to Windows 7, then upgrade to Windows 10. For practical purposes, that means it makes more sense to trash the old hardware and buy PCs with pre-installed Windows 10. If your company has the money, that is.

But that was years ago. Why are people still using it on desktops? Several IT people confided in me, usually privately. (Who wants to advertise his company’s vulnerabilities, after all? Many are simply embarrassed.)

A system administrator from a midsize industrial company told me, “Management just doesn’t want to pay to replace our systems. It’s that simple.” He’s not alone. Another sysadmin, who works for a real estate company, says, “If it’s not broke, they don’t want to fix it.”

According to the Spiceworks study, the reasons IT professionals stick with the current OS are no immediate need, lack of time, and budget constraints.

Another reason businesses hold onto Windows XP is custom software. A sysadmin at a different real estate firm confides, “We have a property inventory program we use in-house, and no one has a clue what’s inside it. There’s just no money to hire someone to rewrite it.”

A building engineer reports that his company relies on software that runs on Windows XP to keep the building’s HVAC systems running, as well as lighting management and other controls. His employer has no interest in updating the operating system; they don’t see any problem.

The software may not be custom; it might be an old third-party application. A jeweler who uses a vertical design program explains, “The last good version only runs on Windows XP.”

In some cases, it’s possible (or necessary) to run a Windows XP application in a virtual machine. For example, Microsoft no longer supports Windows XP with Windows Server Update Services. As one annoyed user expressed on a Spiceworks discussion thread, “I had to install an XP VM on my home network last year to run an XP-specific mapping program.”

A related reason is computer-controlled hardware. Many industrial, medical, and scientific hardware used desktop Windows XP as a poor man’s embedded controller. Their users view the computer as a tool and give little attention to the underlying OS.

Why spend money upgrading? This works fine

For these companies, upgrading the entire system for a new operating system simply costs too much money. As a light-manufacturing company CIO told me, “This equipment cost us hundreds of thousands, and we use it every day. It just isn’t cost-effective to replace it, especially since these systems don’t connect with the Internet.”

Even when the equipment doesn’t cost a mint, some hardware is just too old to be supported by newer operating systems. For example, a really old but special-purpose printer has drivers on Windows XP, but as one sysadmin reports, “Windows 7 and up are not supported for the spooler manager and job queue client.” And “Windows XP also runs our older-than-dirt handheld bar-code scanner terminal app.” You’re not asking management to replace a desktop computer; you’re asking them to buy a whole new piece of business equipment.

That may be even more of an expense when vertical hardware and software intersect. One ophthalmology practice uses a small LAN of connected Windows XP clients, reports another admin. “We’re still on Windows XP due to the specialist apps that connect to the various eye scanning devices.”

IT pros know this is asking for trouble. In the Spiceworks survey of more than 450 IT professionals, 68 percent were concerned about the end of security patches and bug fixes. But IT concerns don’t always translate into corporate priorities.

Embedded XP: The hidden Windows

That’s especially true when it comes to hardware that uses Windows XP Embedded. Numerous computer numerical control (CNC) controllers from companies such as Siemens, Mitsubishi, and ProtoTraks still run this specialized version of the operating system. The controllers generally are expensive ($50,000 to $150,000) and are installed on even more expensive hardware, which often starts at half a million dollars. No one wants to mess with machinery that costs so much and that works perfectly well.

Besides, as a manufacturing professional, Garegin Khachiyan explains, “With just over 15 years of experience in the manufacturing field, neither I nor anyone I personally know ever experienced any security issue with CNC controllers that ran on Windows.”

Windows XP Embedded also lives on in bank automated teller machines (ATMs). “A majority of ATMs still use that OS," says security expert Bruce Schneier. "And once Microsoft stops issuing security updates to Windows XP, those machines will become increasingly vulnerable. Although I have to ask the question: How many of those ATMs have been keeping up with their patches so far?”

That’s a good question. “Newer ATMs can be patch-managed remotely," says security writer Kimberly Crawley in a recent Hackernoon blog. "But older ATMs, including a large percentage of the machines still in use in the U.S., can only be patched manually. That means a bank’s IT professionals have to visit the machines, branch by branch, one by one, to apply Microsoft’s Windows XP for Embedded Systems’ security patches. The IT professionals who have the specialized knowledge necessary to manually patch ATMs are expensive.”

However, apparently they are not as expensive as replacing them. So Windows XP Embedded-powered ATMs will keep dispensing cash in banks around the country.

Supporting and securing Windows XP

Microsoft appears to still be renewing Windows XP “Custom Support” contracts, though the company doesn’t publicly describe the terms. In response to all questions about Windows XP Custom Support contracts, a Microsoft spokesperson said, the company was “unable to accommodate your request at this time.” He added, “As always, we recommend customers stay current with the latest updates to Windows. The best protection is to be on a modern, up-to-date system that incorporates the latest innovations including the latest security features and advancements.”

A Custom Support contract is not intended to last forever. Generally speaking, these contracts require customers to submit a migration plan to a supported edition of a product, along with goals and dates, and Microsoft must approve the plan. Contract milestones are expressed as percentages of the covered systems. If a company doesn’t meet the migration milestones, Microsoft can refuse to renew the deal or cut off support. A Custom Support contract is not intended to last forever.

That said, some contracts are still in place. The United States Navy purchased Windows XP support until 2017, which also included Office 2003 and Exchange 2003 support. According to the contracting announcement, “Across the United States Navy, approximately 100,000 workstations currently use these applications.”

In 2016, the Australian government reported it had paid $3.4 million for 15 months’ worth of Windows XP support to cover agencies to July 2017.

Other government agencies probably wish they had made the investment. In 2015, a hospital system in the United Kingdom’s National Health Service (NHS) revealed it was still running 1,260 Windows XP systems (with no extended support). In 2016, NHS hospitals were still running the OS. Then, in 2017, the hammer of WannaCry ransomware came down, which knocked out multiple NHS facilities.

WannaCry used Windows XP’s insecure version of Windows’ Server Message Block (SMB) networking protocol to spread in local-area networks. It needed only a single vulnerable PC to attack multiple systems.

Microsoft considered the problem serious enough that, for the first time ever, it released a security patch for an out of support program. Clearly, the number of Windows XP systems justified such a radical step.

What does it take to migrate?

The moral of the story? Yes, there may be financial reasons and inertia that keep businesses using Windows XP, but in the long run they’re not convincing. WannaCry was not a one-time event. There will be more attacks. The OS is both too popular and too easy to attack for hackers to ignore.

If your business continues to use the OS, at the very least, ensure that your systems have no ties to the Internet. It’s like leaving the door to your home not only unlocked but wide open.

Windows XP Embedded, which tends to be used in stand-alone systems, is practically speaking safer, but it’s still vulnerable.

Whether the recent ransomware attacks are enough of a motivation for the “if it works don’t fix it” decision-makers to make a change is yet to be determined. I hope so. The time has come to kiss Windows XP good-bye and upgrade your systems.

Related link:

End of Life Announcements: Windows Server 2012 R2 and 2008 R2 Downgrades