Using AutoIT to deploy patches

[SvenP]

Has anyone looked at the Windows Update Agent API?

I made a WSH shutdown script that uses this rather than running Automatic Updates. It's COM based, so you could do mighty things with it using the unstable release (thanks, Sven & devs).

There's an example of the API (in VBScript) here.

<{POST_SNAPBACK}>

Hi DaveF,

That one looks very promising when you only need the Microsoft Hotfixes.

But it requires the 'Windows Update Service' turned on and an active network connection.

It saves a lot of programming however.

Regards,

-Sven

[SvenP]

I am having a problem with this script where it doesn't recognize command line parameters for the patches (/quiet, /passive, and /noreboot)

I have added in some MsgBox debugs, and it seems to have the right parameters there, however they don't get run (the patch pops up, and doesn't automatically install)

<{POST_SNAPBACK}>

g3cko,

Can you give an example, how you exactly entered the line that contains the patch?

Which patch number is it?

Regards,

-Sven

[Guest g3cko]

g3cko,

Can you give an example, how you exactly entered the line that contains the patch?

Which patch number is it?

Regards,

-Sven

<{POST_SNAPBACK}>

Q890923;MS05-020;"Cumulative Security Update for Internet Explorer";kb890923-x86-enu.exe /quiet /passive /norestart;;;;;;;;x;;x;;;;"RegRead(""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB890923-IE6SP1-20050225.103456"",""Installed"")=1";1

(2k and xp sp1 are 'x''d out)

I'm wondering if it has somethign to do with

a) its running from a UNC not a mapped drive letter

some genius used spaces in the name

[SvenP]

Q890923;MS05-020;"Cumulative Security Update for Internet Explorer";kb890923-x86-enu.exe /quiet /passive /norestart;;;;;;;;x;;x;;;;"RegRead(""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB890923-IE6SP1-20050225.103456"",""Installed"")=1";1

(2k and xp sp1 are 'x''d out)

I'm wondering if it has somethign to do with

a) its running from a UNC not a mapped drive letter

some genius used spaces in the name

<{POST_SNAPBACK}>

Hello g3cko,

This is my version of MS05-020 (don't mind the EXE's filenames, I always rename them for more clarity):

Q-Number;PatchNumber;Description;Commandline;Remarks;win95;win98;winme;winnt4sp1-5;winnt4sp6;win2000sp1-2;win2000sp3-4;winxp;winxpsp1;winxpsp2;win2003;win2003sp1;InstalledCriteria;RequiredCriteria
Q890923;MS05-020;Cumulative Security Update for Internet Explorer 6 SP1;Q890923-IE60sp1-cumulative.exe /passive /norestart;Also win2003;;;;;;;x;x;x;;x;;"RegRead($HSM & ""\Windows NT\CurrentVersion\HotFix\KB890923-IE6SP1-20050225.103456"",""Installed"")=1 or RegRead($HSM & ""\Windows NT\CurrentVersion\HotFix\KB890923"",""Installed"")=1";"StringLeft(RegRead($HSM & ""\Internet Explorer"",""Version""),8)=""6.0.2800"" or StringLeft(RegRead($HSM & ""\Internet Explorer"",""Version""),8)=""6.0.3790"""

Q890923;MS05-020;Cumulative Security Update for Internet Explorer 6 on Windows XP SP2;Q890923-IE60SP2-cumulative.exe /passive /norestart;Only for WinXP SP2;;;;;;;;;;x;;;"RegRead($HSM & ""\Active Setup\Installed Components\{04d6265d-6b5d-41c3-9e7c-48be15919643}"",""IsInstalled"")=1 or RegRead($HSM & ""\Windows NT\CurrentVersion\HotFix\KB890923"",""Installed"")=1";"StringLeft(RegRead($HSM & ""\Internet Explorer"",""Version""),8)=""6.0.2900"""

Mind that Microsoft released two different EXE files, one is ONLY for WinXPSP2. I can't tell from your filename if you have the correct EXE.

I didn't use the '/quiet' option, maybe that's the cause?

-Sven

EDIT: Did you already gave the solution with that line "some genius used spaces in the name" ?

Edited April 27, 2005 by SvenP

[SvenP]

Hello,

Since most users had troubles creating the CSV-files for this program, I made a simple patchlist CSV Editor (PatchListEditor.au3).

I have included it in the new mspatch4.1.zip on page one of this topic.

It requires AutoIt beta version 3.1.1.18 or higher.

The editor is 'under development', so it is not fool-proof yet. I'm still working on it.

Regards,

-Sven

[jpm]

Has anyone looked at the Windows Update Agent API?

I made a WSH shutdown script that uses this rather than running Automatic Updates. It's COM based, so you could do mighty things with it using the unstable release (thanks, Sven & devs).

There's an example of the API (in VBScript) here.

<{POST_SNAPBACK}>

You should change your wording "unstable release" to "beta release"

[SvenP]

Hello,

I have done some work on the custom CSV file Editor. It has now a lot more capabilities (see first page of this topic).

The code could probably also be used to edit other type of CSV files, depending on how you would format them. Feel free to (mis)use the code.

Regards,

-Sven

Screenshot attached:

[MSLx Fanboy]

I just downloaded 4.2, and I am running that 'Check' tool. Clicking the cancel button does not work...actually, it just finished. It takes about 10-15 seconds for it to cancel the operation...

Looks good!

[SvenP]

I just downloaded 4.2, and I am running that 'Check' tool.  Clicking the cancel button does not work...actually, it just finished.  It takes about 10-15 seconds for it to cancel the operation...

Looks good!

<{POST_SNAPBACK}>

Hello MSLx Fanboy,

That's indeed a nasty thing to fix. To check whether an AutoIt3 expression is valid or not, I had to create a temporary script, run AutoIt3 again with the /ErrorStdOut parameter and delete the script. That costs a lot of CPU, and it will slow down the response time of the GUI. I am trying to get this done WITHIN a script, but I can't do that without modifying the AutoIt3.exe.

If somebody knows a faster way to check an expression-syntax at runtime, then please let me know.

By the way: you can do a quick check if the 'expression check routine' on your computer works properly by entering an invalid expression in one of the expression fields and press the 'V' button next to it.

I am now trying to program a kind of 'import' function, that will import data from Microsoft's MSSECURE.XML, which contains all information about their current hotfixes.

Regards,

-Sven

[MSLx Fanboy]

That's fine. I can live with it since only I will be experiencing that, and it would not be something done on a daily basis. I'll have to start playing with it on a test machine.

[wfuehrer]

I am now trying to program a kind of 'import' function, that will import data from Microsoft's MSSECURE.XML, which contains all information about their current hotfixes.

Hi!

I'm just starting with your tool and find it very usefull.

Patchmanagement in our company is my job, too. The workstations (~1200) get their patches by using Microsoft SMS - just installing "Software Update Services Feature Pack".

I plan to use your tool for servers (~70) and new workstations (~50 per month because of leasing changes). In the feature i think i will upgrade the patchlist.csv each patch day and add office patches, too.

An import from mssecure.xml would be very nice. When feature pack is installed we update this file weekly in our enviroment.

How do you find the right registry keys and file versions for the patchlist.csv?

I find Install Watch / Install Rite and RegShot very handy. For more complicated things i can use Wise Package Studio and can even build *.msi packages - if necessary.

We use McAfee, too. I will add some code for VirusScan 8i ...

Edited May 28, 2005 by wfuehrer

[jftuga]

Hello MSLx Fanboy,

That's indeed a nasty thing to fix.  To check whether an AutoIt3 expression is valid or not, I had to create a temporary script, run AutoIt3 again with the /ErrorStdOut parameter and delete the script.  That costs a lot of CPU, and it will slow down the response time of the GUI.  I am trying to get this done WITHIN a script, but I can't do that without modifying the AutoIt3.exe. 

If somebody knows a faster way to check an expression-syntax at runtime, then please let me know.

By the way: you can do a quick check if the 'expression check routine' on your computer works properly by entering an invalid expression in one of the expression fields and press the 'V' button next to it.

I am now trying to program a kind of 'import' function, that will import data from Microsoft's MSSECURE.XML, which contains all information about their current hotfixes.

Regards,

-Sven

<{POST_SNAPBACK}>

I have not looked at the code this much detail so forgive me if you already do this. What if you collected ALL of the expressions at one time, then put them ALL into one temp .au3 file and then run it. You would have to be clever about checking individual results. Is this possible and would it make the script faster?

-John

[wfuehrer]

Hi!

I checked the registry values of VirusScan 8i Enterprise. The code will work there too ...

[wfuehrer]

It would be nice to have a link at the right side of the "knowledge base number" field in the MSPatch Editor. So the new user could find the necessary updates faster and could komplete his patchfolder more easy.

A possible link could be

"http://support.microsoft.com/kb/123456" or

"http://support.microsoft.com/default.aspx?scid=kb;en-us;123456" (official KB search) or

"http://support.microsoft.com/?id=123456" or

"http://www.microsoft.com/technet/security/bulletin/ms00-000.mspx".

The "Q-Number" column should be without "Q" in this case.

For the whole script it would be good to not rename the patchfile EXE so the patchfile.csv (with original names, too) will work immedately after the downloads.

Perhaps i'm able to make the enhacements. I will post it here ....

Edited May 30, 2005 by wfuehrer

[SvenP]

I have not looked at the code this much detail so forgive me if you already do this.  What if you collected ALL of the expressions at one time, then put them ALL into one temp .au3 file and then run it.  You would have to be clever about checking individual results.  Is this possible and would it make the script faster?

-John

<{POST_SNAPBACK}>

Hello John,

Thanks for your feedback. It could indeed be a solution. However in the latest AutoIt beta version the options "/c" and "/ErrorStdOut" can be now combined, so the current checks in the PatchEditor will run a lot faster than before.

Regards,

-Sven

[SvenP]

Hi!

I checked the registry values of VirusScan 8i Enterprise. The code will work there too ... 

<{POST_SNAPBACK}>

Thanks for testing. I concluded the same here, after we upgraded to version 8i at work.

-Sven

[SvenP]

It would be nice to have a link at the right side of the "knowledge base number" field in the MSPatch Editor. So the new user could find the necessary updates faster and could komplete his patchfolder more easy.

.......

For the whole script it would be good to not rename the patchfile EXE so the patchfile.csv (with original names, too) will work immedately after the downloads.

Perhaps i'm able to make the enhacements. I will post it  here ....

<{POST_SNAPBACK}>

Hello wfuehrer,

This method of patching was mainly developed for 'offline' use. When you have an permanent active internet connection, the Microsoft SMS or WUS are better choices.

Managing the patchlist.csv can be a hell of a job. You have to manually download all required files from Microsoft's web site.

In the example patchlist I made it myself difficult by combining as many patches as possible on a single line. Otherwise I had to create seperate lines for every type of operating system.

That's also why I renamed the EXE files, the original microsoft filenames were all different.

I obtain the registry keys from the knowledgebase or security bulletin pages. Also here I try to combine similar registry keys for all operating systems, to save lines in the patchlist.csv.

I am trying to retrieve the download URL's and KB-URL's from the MSSECURE.XML. When that works, I will include it that in the patchlisteditor. But it is not easy to do, because Microsoft uses different URL's for each operating system.

Regards,

-Sven

[jftuga]

I read that MSSECURE.XML is being phased out, too. I can't seem to find this URL at the moment.

-John

[wfuehrer]

Hi!

The mssecure.xml is packed in mssecure.cab.

The main site is: http://support.microsoft.com/default.aspx?...kb;en-us;842432

You can download the english version here: http://go.microsoft.com/fwlink/?linkid=23130

CU

Wolfgang

[wfuehrer]

Hi!

It would be nice to have a "x" column if a patch requires a reboot. The install routine could count this and should show a reboot message only if necessary.

BTW - thanks for the great tool. I'm preparing it for use in production enviroment. I think i will separate the workstation and Server patchlist to avoid problems. So i will update the list each MS patch day for post XP SP2 and 2k3 Patches.

CU

Wolfgang