Automatically patching machine with hotfix KB824146 using mbsafu.
From: Albers, Lucas (luke_at_COE.MONTANA.EDU)
Date: Thu, 11 Sep 2003 20:45:43 -0600 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I didn't want to spend as many hours patching machines with KB824146 exploit
as I did with KB823980, so I tried out mbsafu.
Mbsafu is an automatic remote patching tool that applies Security updates
based on Microsoft Baseline Security Analyzer output.
This will patch NT4, WIN2k, WINXP, WIN2003 machines.
I patched 200-250 machines in our domain in 1<hour using the free tool:
Mbsafu. It works! We ran this against desktops and domain controllers.
Before deploying this, TEST IT on a few machines.
Steps to patch machines:
Download and unzip mbsafu.
Read the usage.txt and readme.txt that come with the program.
Read the docs......
Download and install mbsa (Microsoft).
You need this to run mbsacli the mbsa command line scanner.
Run mbsacli scan against the computers in your domain.
Mbsacli -hf -d DOMAIN -o tab > output.csv
You can also run mbsacli on a range of ip addresses.
Look at the options...
Setup a network share with full privileges for the account you will patch
Set to full control for the domain admin account you will use.
Parse the output using mbsabarse
Type output.csv | mbsaparse \\server\share
Download all needed patches it detects using:
Troubleshoot patches that did not download by manually downloading via
Determine the specific patch you want to apply.
824146 is the patch I want to apply.
Edit the patch files to only apply that specific patch.
The patch files contain the patches to apply for each machine, one
patch per line.
If you remove all the lines except for the 824146 line, it will only install
Set the command line switches for all the patches or the patches you want to
mbsaswitch \\server\share all "-z -q"
Note: this is to do an unattended install without a reboot.
If you want to reboot after applying the patch, read about the switches you
need to set, I do not recommend this. I wrote a simple perl script to
determine if anyone is logged onto the computer, so you can reboot it later.
For NT 4 clients you want the switches to be="/z /q" <--- VERIFY THIS!
Change your domain admin password to use a character-number only password.
When I had my password set using alphanumerics, it did not work correctly.
Run the autopatch tool.
This uses windows scheduler to schedule the job to run on the target
It should encrypt your password.
mbsascheduler.exe \\server\share domain\user pass timeout-in-seconds
Runs process remotely, this is similar to psexec but does not encrypt your
mbsaremote.exe \\server\share domain\user pass timeout > remote-
This will the schedule the remote machine to install the patch from your
network share using domain credentials, it uses windows scheduler so the
password is not sent in clear text to the machine.
Start the update using scheduler service wait 10 minutes for it to complete
on each machine, and log the results to remote-result3.csv
mbsascheduler.exe \\server\share domain\user password 600 > remote-
As soon as it finishes, change your domain password.
It takes awhile to get started, so be patient, and it took 5 minutes before
I started getting connections on the network share with the clients
installing the patch.
Additional Items: Tools and Information I used to patch and verify:
Perl script to find computers no one is logged onto.
Note, Pure Hack.
If you want to improve it and send me the improvements, go ahead.
Eventcombmt can be used to search for event logs relating to installation of
Look for event 4377,8
"shutdown /i /r /f" will allow you to interactively shutdown computers
"Retina Network Security Scanner has been updated to identify this
Also our FREE RPC scanner tool has been updated to check for this second
Microsoft has released a patch for this vulnerability. The patch is
Montana State University - Bozeman
Computer Science System Administrator, Bozeman MT 59717
---- Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER! With a growth rate exceeding 110%, the TICSA security practitioner certification is one of the hottest IT credentials available. And now, for a limited time, you can save 33% off of the TICSA certification exam! To learn more about the TICSA certification, and to register as a TICSA candidate online, just go to http://www.trusecure.com/offer/s0100/ ----