Run Microsoft Baseline Security Analyzer 1.2 from the command line

The Microsoft Baseline Security Analyzer normally runs from a GUI. You can also execute it from the command line and get a little more control over it. Here's how it works.

With the release of version 1.2 of the Microsoft Baseline Security Analyzer (MBSA 1.2), Microsoft has vastly improved this already excellent proactive security tool and turned it into a much more full-featured utility. The MBSA includes a powerful graphical user interface that provides administrators with a way to interactively scan the local and remote servers and desktop machines. From the reports generated, administrators can take appropriate action to address potential security problems, such as installing required patches, enabling automatic updates, or turning on the Windows XP firewall.

Scripted scans

One area that the GUI does not address is the ability to script a scanning session. Most administrators work normal business hours, which are times that heavy scans are usually avoided because of their potential impact on the network, servers, and desktop computers. For this reason, the MBSA includes a command-line utility that performs the same functions as its GUI counterpart and can be included in nightly/weekly/monthly routines to scan for vulnerabilities. From this scan, a report is generated from which an administrator can take proactive steps to protect the infrastructure.

The executables

MBSA includes two executables: mbsa.exe and mbsacli.exe. The mbsa.exe executable powers the GUI side of the utility, while, as you might expect, the mbsacli.exe executable is the command-line side. By default, both of these executables are stored in C:\Program Files\Microsoft Baseline Security Analyzer. Please note that if you have the GUI MBSA utility open, the command-line version will not run.

By default, the results of a scan are stored in the C:\Documents and Settings\user name\SecurityScans folder and have names similar to "WORKGROUP - W2K3 (5-20-2004 5-35 PM)", where the workgroup/domain is listed along with the system name and the date and time of the scan. This is true for both the GUI and the command line, but you don't usually have to know this for the GUI, since the program handles the report display.

Using the command line

There are two ways to run the command-line version of MBSA. The first syntax actually performs scans, and the second one provides a listing of results from the most recent scan. So, it's a two-pass process.

Running a basic local scan

Mbsacli.exe doesn't actually require any parameters. If you omit them, the local computer is simply scanned, assuming that you have administrative rights with the current logon. The results of a local scan from the command line should look something like this:

Computer Name, IP Address, Assessment, Report Name
WORKGROUP\W2K3,, Severe Risk, WORKGROUP - W2K3 (6-1-2004 6-21 PM)

Viewing the results of the basic scan

As with the GUI version, the command-line version of MBSA produces very detailed results to help you pinpoint and address potential security weaknesses in your network. I like the fact that it doesn't just assume you want things "fixed." Instead, it provides information so you can make a decision about what to address or ignore. To get the results, type the following, substituting the appropriate report name:

mbsacli /ld "WORKGROUP - W2K3 (6-1-2004 6-21 PM)" 

When reports are generated using a command-line scan, they can also be viewed with the GUI at your leisure. Both the GUI and the command line store their files in the same location, so each utility can use the scan results generated from the other utility. Figure A displays the local scan showing up as an entry in the GUI's Pick A Security Report To View option. Figure B shows the first page of that scan.

Figure A

The recent scan also shows up in the GUI.

Figure B

The first page of the scan

Personally, I like to be able to script this kind of stuff and view the results with a GUI. The command-line viewing option works, but it's more difficult to interpret.

Full syntax

As I mentioned, there are two syntaxes for mbsacli.exe, depending on whether you want to just run a scan or view the results of a previously run scan. Here's the full syntax of the mbsacli command:

mbsacli [/c|/i|/r|/d domain] [/n option] [/o file] [/f file] [/qp] [/qe] [/qr] 

Switches you can use include:

● /c domain\computer—Scan the computer named in domain\computer.

● /i IP_addr—Scan the computer identified by the IP address provided.

● /r "IP_addr-IP_addr"—Scan the computers in the range of IP addresses provided.

● /d domain—Scan all computers in the target domain.

● /n option—By default, MBSA performs all scans against the targets. Use /n to remove specific scans. Valid options are OS, SQL, IIS, Updates, Password. To omit more than one scan, separate the /n options with a + (plus sign).

● /o file—Specify the name of the file to which to write the results. A default name is presented above with the syntax "%D% - %C% (%T%)", where %D% is the domain or workgroup name, %C% is the name of the computer, and %T% is the date and time of the scan.

● /f file—Write console output to the file specified.

● /qp—Don't display the progress of the current scan.

● /qe—Don't display errors present in the current scan.

● /qr—Don't display the list of reports.

● /s 1—Suppress security notes.

● /s 2—Suppress security notes and warnings.

● /nvc—By default, MBSA always checks for a new version of itself when it runs. Use /nvc to skip this check.

● /baseline—Check only for baseline security updates rather than all updates (default in GUI).

● /nosum—Do not verify checksums for security updates. Use only if you need different language versions of patches and need to rename them for a language supported by MBSA (default in GUI).

● /sus [susserver | susfilename]—Get a list of approved updates from a SUS server. This option requires the URL of the SUS server and will look for a file named approveditems.txt.

● /hf—Run in hfnetchk mode. Use "mbsacli -hf /?" for details. This mode allows you to use the extremely granular scanning and reporting functionality that was present in the command-line hfnetchk utility. Note that, unlike straight-up mbsacli, this does not produce XML output.

The report syntax and switches slightly vary. The report syntax is:

mbsacli [/e] [/l] [/ls] [/lr file] [/ld file] [/unicode] [/hf] [/?] 

Switches include:

● /e—Show the errors from the most recently run scan.

● /l—Show a list of all reports that are available for viewing.

● /ls—List the reports available from the most recent scan. Remember that a report is generated for each system in a scan.

● /lr file—Display the overview of the report named by file.

● /ld file—Display the complete details of the report named by file.

● /Unicode—Output Unicode only.

● /v—Display the reason codes for security updates.

● /hf—Run in hfnetchk mode. Use "mbsacli -hf /?" for details. This mode allows you to use the extremely granular scanning and reporting functionality that was present in the command-line hfnetchk utility. Note that, unlike straight-up mbsacli, this does not produce XML output.

More flexibility from the command line

Note that MBSA can scan up to 10,000 machines simultaneously. If you need to scan more, you'll have to perform multiple scans. Scanning by IP address is limited to 256 machines. If you want to scan off-hours or run scans regularly and view the results at your leisure, mbsacli.exe is invaluable and is especially useful when combined with the reporting functions of the GUI version of MBSA.

Editor's Picks

Free Newsletters, In your Inbox