#114550 - 2004-02-23 10:19 PM
Re: Patch Management
|
Learic
Fresh Scripter
Registered: 2004-02-16
Posts: 12
|
Quote:
at.exe
So if I sit at a machine, open up the command prompt and type at.exe 23:00 "C:\%patch%" it will run the patch with system level access? I've tried that before on a workstation and the process just wouldn't run when 11pm hit. It would just fail which I assumed it was due to a restricted user being logged in at the time the schedule was supposed to run. If it automatically assumes system account level access then my problem should be resolved whether I have rights to log into the box or not right?
|
|
Top
|
|
|
|
|
#114554 - 2004-02-24 12:15 PM
Re: Patch Management
|
Richie19Rich77
Seasoned Scripter
Registered: 2002-08-16
Posts: 624
Loc: London, England
|
Thanks for all the reply's, we don't have the money to get SMS (£6 Million in the red  ) so I will have to look at creating a custom patch management tool.
Looking at all your reply's I have some ideas.
Thanks
|
|
Top
|
|
|
|
|
#114555 - 2004-02-24 02:48 PM
Re: Patch Management
|
Learic
Fresh Scripter
Registered: 2004-02-16
Posts: 12
|
I actually wrote a script that performs the following tasks.
0. Checks OS and then performs the appropriate checks with the correct files for that OS.
1. Checks the workstation for ServicePack Level. If not latest, installs the latest.
2. Checks for version of IE, if not the latest, installs the latest.
3. Checks MDAC, if not the latest, installs the latest.
4. Checks for security patches
A> I coded this part to use an external TXT file that simply contains the patch numbers. Ex. Text file looks like the following:
KB000000
KB828028
B> The script will read the a line in the text file and then store it as a variable. It will then check that variable against the registry.
KeyExist("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\$patch")
C> If patch exist, it moves on to the next entry in the text file. If not, It then uses takes the variable and and applies it to a shell command.
$sharepath\patch2k\Windows2000-"+$patch+"-x86-ENU.EXE /Q /M /Z"
D> At the end of the check and install process, I then have it execute a shell with Qchain.
Note: Not all MS patches conform to this standard. Some patches begin with Q such as q330994. When I have one of these, my script checks the registry in the following location. The version number is read to make sure the Q patch has been applied. If not it will shell the Q patch with the /Q:A /R:N switches.
ReadValue ("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F5776D81-AE53-4935-8E84-B0B283D8BCEF}","Version")<>"6,0,2800,1165"
E> My script does other things like install ePO and other things but just trying to help.
Oh well, it's just my idea and it works for me!
|
|
Top
|
|
|
|
|
#114556 - 2004-02-24 04:09 PM
Re: Patch Management
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
patch.kix: using srvany.exe to run as a service on the client PC
Code:
break on
$ini='@scriptdir\patch.ini'
$setupfolder = 'S:\Win2k_Hotfixes'
for each $section in inisections($ini)
$install = 0
$patch = readprofilestring($ini,$section,'patch')
if exist($setupfolder+'\'+$patch)
if readprofilestring($ini,$section,'check') = 'key'
$key = readprofilestring($ini,$section,'regkey')
if not @error and not keyexist($key) $install = 1 endif
else
$updated = ExpandEnvironmentVars(readprofilestring($ini,$section,'updated'))
$version = readprofilestring($ini,$section,'version')
if not exist($updated) $install = 1 endif
if getfileversion($updated) < $version $install = 1 endif
endif
if $install
? $patch + ' needs to be installed'
$command = ExpandEnvironmentVars(readprofilestring($ini,$section,'command'))
; copy $setupfolder+'\'+$patch c:\
; shell '%comspec% /c c:\'+$command
; runonce...
? '%comspec% /c c:\' + $command
else
? $patch +' is already installed'
endif
endif
next
? 'done'
function IniSections($file)
dim $sections
if not exist($file) exit 1 endif
$sections = join(split(readprofilestring($file,'',''),chr(10)),'|')
$IniSections = split(left($sections,len($sections)-1),'|')
endfunction
and here is the ini file on the server
Code:
[KB329115]
patch = Windows2000-KB329115-x86-ENU.exe
check = key
regkey = HKLM\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB329115
command = Windows2000-KB329115-x86-ENU.exe -q -z -u -n -o
[KB823182]
patch = Windows2000-KB823182-x86-ENU.exe
check = file
updated = %windir%\system32\cryptui.dll
version = 5.131.2195.6758
command = Windows2000-KB823182-x86-ENU.exe -q -z -u -n -o
[Internet Explorer 6 Security Rollup - November 2003]
patch = q824145.exe
check = key
regkey = HKLM\Software\Microsoft\Active Setup\Installed Components\{057997dd-71e4-43cc-b161-3f8180691a9e}
command = q824145.exe /q /r:n
|
|
Top
|
|
|
|
|
#114558 - 2004-02-24 05:36 PM
Re: Patch Management
|
Glenn Barnas
KiX Supporter
Registered: 2003-01-28
Posts: 4402
Loc: New Jersey
|
Richard:
I have a small set of scripts that you might be able to implement with just some config-file changes.
I employ a standard directory structure for all software, including hotfixes and service packs. This structure is replicated between physical sites on the WAN, and across into the DMZ segments via a secure channel.
There is a Kix script in the root of this structure, and kix is available in a \bin folder. Running INSTALL.BAT invokes the kix script via the copy of kix in the bin folder, so there is no reliance of any software on the target system. The install command can install any product (including O/S upgrades) as well as alternate versions, collections (packages) of hotfixes, and service packs via simple command line args.
For critical updates, we have a DEPLOY tool. A master (XLS) list of systems is maintained, with fields to sort on site or O/S, or even key products. This generates a text file of server names that we want to push a patch to. When you run DEPLOY from your admin workstation, you specify the product and installation args, the start time/date, and the system list file. You can then push out scheduled tasks to run at the determined time (or next reboot) to all systems. We generally push it to all trusted servers throughout the WAN from one workstation, but each target system is able to actually determine its closest software distribution server and update over the LAN. We've scheduled 7 deployments for the recent patch - 160 trusted servers system-wide, and a few dozen more in 6 DMZ segments. Takes about 15 minutes to prep and push, and about an hour to execute, since we build in delays to spread out net traffic.
For automated, rolling maintenance, I have a MAINT kix script that runs as a monthly scheduled task. It determines a maintenance "cycle" - monthly, quarterly, semi-annual, or manual. It checks a central config file on the closest SW Distribution server, compares the requirements to the current system configuration (SP, hotfixes, application versions, etc) and installs anything defined and needed. It can "survive" multiple reboots, and forces a reboot after every O/S update. (SP or HotFix package) It processes the O/S maintenance by cycle (annual, semi-annual, quarterly, monthly) and then starts on application install/uninstall and patching.
BTW - the directory structure also integrates into SMS fairly easily, and the installation batch files can be used directly by SMS and Tivoli software distribution.
I have lots of documentation on this that I can send you to review before making any code or file structure commitments.. let me know and I'll send off a ZIP of the docs.
We've been using this to maintain a few hundred servers (300+) across 5 sites for the past 2 years.
Glenn
_________________________
Actually I am a Rocket Scientist! 
|
|
Top
|
|
|
|
|
#114559 - 2004-02-24 07:35 PM
Re: Patch Management
|
Radimus
Moderator
Registered: 2000-01-06
Posts: 5187
Loc: Tampa, FL
|
if you want to know what is in each patch, install winzip or winrar and that makes extracting files easy
|
|
Top
|
|
|
|
Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 611 anonymous users online.
|
|
|
