A command prompt?
Seems to me with all the problems and holes they have in their products and HTML driven
tool that would quickly just point you to the download, rather than lookup a Q ID article and search again thru their awful database. IT people need something that is fast and get's to the answer quickly.
Discussion on:
View:
Show:
I would be curious to know if anyone has gotten this to work with qchain.exe, the MS tool for applying multiple hotfixes without rebooting. I used hfnetchk on our mail server, it found a few patches that were not on and I applied them using qchain. Ran the hfnetchk again and it said they were all still not loaded. Anyone tried this? Anyone know where hfnetchk gets it's info from?
It downloads an XML file.
Once the xml file is downloaded and run, it then scans your system for various installed
MS programs (IIS, Office, NT4 vs 2K).
Once it get's feedback from your system of what is installed, it then has a list of checksums that it brings up against your system.
If the checksum is verified correctly then it assumes the patch is there, if not then it says it's not. If it can't tell then it will throw a warning.
The file is called mssecure.xml and is downloaded to the location that hfnetchk is being run in.
Hope this helps. (don't know about the qchains issue, haven't used it yet with this.)
Once the xml file is downloaded and run, it then scans your system for various installed
MS programs (IIS, Office, NT4 vs 2K).
Once it get's feedback from your system of what is installed, it then has a list of checksums that it brings up against your system.
If the checksum is verified correctly then it assumes the patch is there, if not then it says it's not. If it can't tell then it will throw a warning.
The file is called mssecure.xml and is downloaded to the location that hfnetchk is being run in.
Hope this helps. (don't know about the qchains issue, haven't used it yet with this.)
It is better then nothing.
It's not the most recent ones that I worry about, because they are usually sent out in MS security bulletins.
It's the older patches that you forget about that I care about.
What I do is After I install the OS, Service Pack, browsers, programs, I then run HFnetchck; copy the results into notepad, then go right down the line and install them all.
If you are ambitious you can burn all of the patches onto a cd, sorting them into folders by MS# and by either nt or 2k.
That's I how personally do it.
It's not the most recent ones that I worry about, because they are usually sent out in MS security bulletins.
It's the older patches that you forget about that I care about.
What I do is After I install the OS, Service Pack, browsers, programs, I then run HFnetchck; copy the results into notepad, then go right down the line and install them all.
If you are ambitious you can burn all of the patches onto a cd, sorting them into folders by MS# and by either nt or 2k.
That's I how personally do it.
Simular problem. We even ran the hotfixes one at a time just to be sure. The tool still said we needed to apply hotfixes that were put on in order and show up as installed. Judging from others it must work in some situations. Running it as a batch is a nice idea. Maybe MS could pick up on that with a customizable Qchain tool.
Yes, Vijay Ramcharan did and it works really well.
Do a search in Google for ScanPatchFix. You'll find an old article from ntbugtraq. He gives it out free.
Actually hfnetchk is old, a couple of years in fact, and you correctly spotted that the best way to use it, is with qchain. It works really well.
Do a search in Google for ScanPatchFix. You'll find an old article from ntbugtraq. He gives it out free.
Actually hfnetchk is old, a couple of years in fact, and you correctly spotted that the best way to use it, is with qchain. It works really well.
While it would be a **Cool** Feature...
I use the tool ALOT. Once you start using it and downloading the hot fixes. You will find that you will have most of them locally.
Plus, I'm not sure where you are going to find your hotfixes, but hereis a link for you that you can go to. No need to search anymore.
http://www.microsoft.com/technet/security/current.asp
You can just scroll down the right hand side, find the hf# (is ms00-071) and you have the info you need about it.
Using this tool and having a repository of the hotfixes, I have been able to patch an army of machines that normally would take me a while.
Plus if you clone a single machine, you only need to run it once then apply the patches across the board. This is great for production machines that are in a farm and replictated.
I use the tool ALOT. Once you start using it and downloading the hot fixes. You will find that you will have most of them locally.
Plus, I'm not sure where you are going to find your hotfixes, but hereis a link for you that you can go to. No need to search anymore.
http://www.microsoft.com/technet/security/current.asp
You can just scroll down the right hand side, find the hf# (is ms00-071) and you have the info you need about it.
Using this tool and having a repository of the hotfixes, I have been able to patch an army of machines that normally would take me a while.
Plus if you clone a single machine, you only need to run it once then apply the patches across the board. This is great for production machines that are in a farm and replictated.
The tool helps, but is not enough as is. I've created a batch file to copy the files to the PC, run the program, and then send the information to a text file. Another batch file runs the multiple patches with the -z switch from the network, and then finishes with the quickchain program from Microsoft so I only have to do one reboot.
However, here is a shareware program that also uses hfnetchk. It nicely runs in a window, and takes you to the web to let you download the patches. The only problem I have with it is that it installs to the PC. But it works well!
http://www.maximized.com/freeware/hotfixreporter/
However, here is a shareware program that also uses hfnetchk. It nicely runs in a window, and takes you to the web to let you download the patches. The only problem I have with it is that it installs to the PC. But it works well!
http://www.maximized.com/freeware/hotfixreporter/
I rely on MS critical updates on all the NT and Win2k servers.
http://windowsupdate.microsoft.com
Is this good enough for keeping the server update?
I have critical update notification installed on all the servers so that I will know as soon as any new releases.
I did not compare it with this dos utility. Because its fulse positive rate, it is not practical to track what has been installed or rebooted on many sever envorinment.
Last week, MS released another batch of critical updates that has about 14 MB. I just installed it on all the servers.
Joe Chen
jchen@xbase.com
http://windowsupdate.microsoft.com
Is this good enough for keeping the server update?
I have critical update notification installed on all the servers so that I will know as soon as any new releases.
I did not compare it with this dos utility. Because its fulse positive rate, it is not practical to track what has been installed or rebooted on many sever envorinment.
Last week, MS released another batch of critical updates that has about 14 MB. I just installed it on all the servers.
Joe Chen
jchen@xbase.com
Use the MBSA tool (http://www.microsoft.com/technet/security/tools/mbsahome.mspx) instead for a GUI interface. Not sure why you would need/want the command line tool.
Microsoft Network Security Hotfix Checker has been replaced by Microsoft BaseLine Security Analyser.
Many thanx.
Many thanx.
Figures (illustration) does not display in the web browser. Incomplete HTML links.
SBC
SBC
This is good information. But, I would like to know if there is a way to deploy these hotfixes or security patches to several client workstations running NT4.0 without physically going to the machine.
Yes, simply run the appropriate switch.
You would want to run one of these two swithes.
-i Specifies the IP address of the computer to scan. The example shows you how to scan multiple IP addresses from one central location.
hfnetchk -i 192.168.1.5,192.168.1.10,192.168.1.15
hfnetchk -r
Specifies an IP address range
hfnetchk -r 192.168.1.1-192.168.1.50
Hope that helps. For a list of the syntax just browse to the directory where you installed the Hotfix checker and type hfnetchk /?.
You would want to run one of these two swithes.
-i Specifies the IP address of the computer to scan. The example shows you how to scan multiple IP addresses from one central location.
hfnetchk -i 192.168.1.5,192.168.1.10,192.168.1.15
hfnetchk -r
Specifies an IP address range
hfnetchk -r 192.168.1.1-192.168.1.50
Hope that helps. For a list of the syntax just browse to the directory where you installed the Hotfix checker and type hfnetchk /?.
UpdateExpert from St Bernards gives ability to deploy hotfixes automatically across networks.
We have been using a product developed in the states called Netwizard. This product is created by Attachmate and we have found it to be a truly great assest. You write a small package which you can drag and drop to agents or you can recall that package. The South Africa contact person is Harry Kingma @ +27828822161
Fantastic product and it can be run on a pc. There are much more feutures available in this package
License Metering
Reporting
Software
Hardware
DMI
WMI
Status Reporting of clients
etc...
Fantastic product and it can be run on a pc. There are much more feutures available in this package
License Metering
Reporting
Software
Hardware
DMI
WMI
Status Reporting of clients
etc...
Use Languard NSS http://www.gfi.com/lannetscan/ Scan your IP range and deploy selected patches.
MS should integrate this within the SUS/WUS tool. Oh no! that would be the logical thing to do...imagine that, having more than one tool from Microsoft which complements one another in one environment.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
