As the recent outbreaks of the Code Red and Nimda worms have aptly demonstrated, it is critical for Windows administrators to stay up to date on security patches. To aid in this process, Microsoft has released the Microsoft Network Security Hotfix Checker. This tool allows administrators to scan Windows systems to ensure that all security patches are applied and current.

The Hotfix Checker is a command-line tool that looks at the status of all patches installed on your Microsoft servers and tells you whether they’re up to date. The tool does this by referring to a public XML database that Microsoft updates periodically. You can use this tool to provide the patch status of the following products:

  • Windows 2000
  • Windows NT 4.0
  • Internet Information Services (IIS) 4.0 and 5.0
  • Internet Explorer (IE) 5.01 and higher
  • SQL Server 7.0 and SQL Server 2000

Installing and using the tool
When you download the tool, you are prompted for a location to install the executable. Choose the appropriate directory and run the executable. Figure A shows the files that will be placed in your specified directory.

Figure A

To run the Hotfix Checker:

  1. Open a command prompt and change to the directory where you installed the Hotfix Checker, as shown in Figure B.

Figure B

  1. Type hfnetchk, press [Enter], and you’ll see the screen shown in Figure C.

Figure C

  1. For a more detailed explanation, type hfnetchk –v –z, as we’ve done in Figure D.

Figure D

Now that you have a detailed report on your system, you can begin to download and apply the appropriate patches. I recommend that you go to Microsoft’s Knowledge Base Search and enter the appropriate article numbers to find the patches that the Hotfix Checker indicated that you need. After finding a patch, download and install it. I’ll walk you through an example to show you what I’m talking about.

To obtain and install patches:

  1. As you saw in Figure D, our sample report details many security holes. We’ll highlight an article number (Figure E) and copy it.

Figure E

  1. Next, we’ll go to Microsoft’s Knowledge Base Search, select Specific Article ID Number, paste the article number in the My Question Is text box, as shown in Figure F, and click Go.

Figure F

  1. At this point, we just downloaded and installed the patch. When we ran the Hotfix Checker again, the installed patch no longer appeared in the report, as shown in Figure G.

Figure G

  1. You can also view the XML file by browsing to where you installed the tool. As you can see in Figure H, there is now another file called mssecure.xml, which you can open and examine.

Figure H

HotFix Checker syntax
So far, we’ve covered just the default configuration of this tool. To take a further look at the syntax of the command and its options, type hfnetchk /? from the command prompt, as shown in Figure I.

Figure I

Final word
For Windows administrators, this is a powerful tool that enables you to take control of all your Microsoft server vulnerabilities. You can find out more about the Hotfix Checker by reading “Frequently Asked Questions about the Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool.” For an advanced GUI version of the Hotfix program, check out Shavlik Technologies, the company that created the program for Microsoft.

How will this program help you improve your security?

We look forward to getting your input and hearing your experiences regarding this topic. Join the discussion below or send the editor an e-mail.