Our old friends FileMon and RegMon have now been integrated into a tool called Process Monitor. This new tool integrates the functionality of file access capturing from FileMon with the registry access capturing of RegMon into a single interface.

Process Monitor now includes some much needed feature enhancements from the original individual tools. The neatest of these is...

 
Continue reading FileMon/RegMon Now Integrated into Process Monitor...

Posted by Greg Shields | Comments (0) | TrackBacks (0)

So yesterday's script was great if you're sitting on the console of the server and you want that server to download, install, and reboot for patching. But, what if you want to sit in your lofty white Systems Administrator's tower and instruct your computers to do the patching for you. With remoteability to yesterday's script, you could even do your monthly patching from the comfort of your own home!

(I know this. I used to use this script to do my monthly patching from home! So, I know it works.)

To use this script, you'll need two things. First, you'll need to create a text file with a list of computer names -- one per line -- and reference that file when you run the script. You'll also need a username and password of an account that has administrator rights on the remote machines. An example: remoteYouPatchNOW.vbs computers.txt DOMAIN\Username P!. You'll also need to download the Microsoft PSTools and drop the executable for PSExec into either your path or the same folder as this script.

Lastly, you'll need to name yesterday's script "wsus-install-agent.vbs" and put it into the same folder as this script. This script will copy yesterday's script into the ADMIN$ location on the remote machine and use PSExec to remotely launch it. Perfect!

Click the link below for the code:

 
Continue reading Hacking WSUS #5 of 5 -- The Holy Grail: A Remoteable "YOU PATCH NOW!" Script...

Posted by Greg Shields | Comments (0) | TrackBacks (0)

Most Windows administrators' biggest complaint about WSUS is its lack of an ability to patch on-demand, without having to wait for the Group Policy-scheduled time to arrive. Even in talking with the WSUS team, they have told me that they haven't planned for this capability natively in the WSUS 3.0 GUI.

However, within the scripting exposure, there is the capability to create a "YOU PATCH NOW!" script that will instruct a machine to scan itself, download any necessary patches, install them, and reboot if necessary. Since, according to Microsoft, this functionality is still not available when WSUS 3.0 arrives, keep this script close at hand. It will come in handy -- especially for patching servers!

As with some of our other scripts, you'll need to create a text file with a list of computer names -- one per line -- and reference that file when you run the script. An example: youPatchNOW.vbs computers.txt.

Click the link below for the code:

 
Continue reading Hacking WSUS #4 of 5 -- The "Big Red Button" or How to Patch When you want with WSUS...

Posted by Greg Shields | Comments (0) | TrackBacks (0)

Ever felt the pain of comparing the patch number (the "MS0X-0XX Number") to the knowledgebase article number (the "Q Number") when you're trying to figure out which patches to push? WSUS lists patches by their knowledgebase article number. But, the monthly patch announcements you get from Microsoft typically list them by their patch number. Translating between these two numbers can be a pain in the neck.

What's truly interesting (thank you Microsoft!) about the WSUS database is that its completely open and available, no matter if you use MSDE or SQL as your database engine. This means that you can peer into the database to find out more information about the workstations on your network and their patch level. The database is highly normalized, which means that it can be a chore to link the primary and foreign keys together to get a useful report. But, perseverence will prevail if you know what you're looking for.

This, the third script in our series, leverages this ability to peer into the WSUS database to create a comparison report which shows the MS0X-0XX number for each patch and the associated knowledgebase article number for them. Its great for keeping these straight in your head. Note that I haven't tested this script against WSUS 3.0.

You'll need to change the first line to the name of your WSUS server. If you're using MSDE as your database for WSUS, you'll need to open up permissions so you can access it remotely.

Click the link below for the code:

 
Continue reading Hacking WSUS #3 of 5 -- Creating a MS Number to Knowledgebase Article Number Comparison Report...

Posted by Greg Shields | Comments (0) | TrackBacks (0)

Aha! Knowing the patches installed on your computers is only so useful. Its great for handing to auditors. But what should really interest you is a report that will show you what patches are not installed on a particular computer.

What's interesting about this report is how it determines which patches are and are not installed. If the computer you scan is connected to a local WSUS server for its patches, it will compare itself against the patches set to "Install" on that WSUS server. If, however, this computer is not attached to a WSUS server, it will do the comparison against update.microsoft.com, and assume all patches there are considered approved.

Like with yesterday's script, you'll need to create a text file with a list of computer names -- one per line -- and reference that file when you run the script. An example: wsusDetectNotInstalled.vbs computers.txt.

Click the link below for the code:

 
Continue reading Hacking WSUS #2 of 5 -- Create Missing Patches Report...

Posted by Greg Shields | Comments (0) | TrackBacks (0)