General discussion


DOWNLOA Windows Update patch reporting KiXtart script

By Bill Detwiler Editor ·
Fully automating Windows Update works well for desktops and laptops but not necessarily for servers. You should normally test server patches before installation and install patches during scheduled outages. Configuring Windows Update to download, but not install, patches accomplishes both goals. With this process in place, now need to know which servers need patching and which don't before you can create an appropriate outage/patch schedule.

Microsoft WSUS offers excellent patch reporting and management features but, requires a fair amount of setup and can be overkill for small shops. The Windows Update patch reporting KiXtart script provides a quick, easy way to track which Windows servers need patching.

The script was written in the free KiXtart scripting language. You must download and install the KiXtart utility from before using the wu_check.kix script. The script is designed for use on Windows 2000 Server and Windows Server 2003.

Download and try the script:

Then, join this ongoing discussion and let us know if this list provides helpful information and if there's anything we can do to improve the document's format or content.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

So what are other organizations doing for patch management?

by RLiang In reply to DOWNLOAD: Windows Update ...

SUS, WSUS, SMS, scripts, or something else? I'm curious what others are doing when it comes to patch management?

Collapse -

We're Using WSUS and SMS

by turbinepilot In reply to So what are other organiz ...

For Microsoft patches we're using WSUS due to its ease of use and decent reporting. All other patches are deployed using SMS. Our shop has over 500 servers distributed across nearly a dozen offices nationwide.

Collapse -

Do you automatically apply patches to servers?

by RLiang In reply to We're Using WSUS and SMS

Are server patches automatically applied and servers auto-rebooted or do you manually control that process?

Collapse -

Automatic as much as possible...

by turbinepilot In reply to Do you automatically appl ...

We configure the WSUS client on each server based upon what time of day a patch / reboot cycle would be least intrusive. The patch, complete with automatic reboot is done completely by WSUS. On patching day the selected patches are approved on the WSUS serer. Less than twenty-four hours later we're fully patched. If an emergency patch must go out immediately we'll use SMS.

Out of 500+ servers we only manually have to patch about a dozen. These servers tend to have poorly written applications that require special handling prior to and following a reboot.

Collapse -

Too bad this script doesn't work!

by tsadowski In reply to DOWNLOAD: Windows Update ...

The latest versions of windows update don't store the installs in the location that this script uses (c:\program files\WindowsUpdate\wuaudnld.tmp\cabs\) Rather they are stored in %windir%\SoftwareDistribution\Download\*\ I put the star there because the installs are put in subdirectories with seemingly random alpha-numeric character strings. The updates are then sometimes stored in an update subfolder, sometimes not. The Executable is usually named update.exe and the relevant KB number is in the file name of a .cat file. But sometimes the exe is by itself. All in all I don't see this script being useful at all without a MAJOR rewrite, and I don't know KIX well enought to attempt it.

I will continue to use WSUS to pull down my updates and show me what needs to go where, and have the patches applied nightly at 3:00am

Collapse -

A better way to view updates

by tsadowski In reply to Too bad this script doesn ...

I recently tripped accross a better way to monitor what updates need to be applied to a system. This includes all desktop and server versions of Windows based on NT.

Microsoft Baseline Security Analyzer 2.0. Provided by Microsoft and based on the technology in Shavlik's HFNetCheck, is an excellent tool for scanning systems and providing you a list of updates that are required for the Microsoft programs installed on your computer. I say programs, and not the OS because it scans MS Office too.

That all said, I am not 100% sure what versions it will scan, but it definately works on Windows 2000 and up, and at least Office 2003. Anyone who needs to get a view of the updates that are needed, but can't afford the hassle of a full WSUS system, should check the Security Baseline Analyzer.

Related Discussions

Related Forums