#77223 - 2003-10-24 10:05 AM
Automated patch update system in KiX
|
Mit
Fresh Scripter
Registered: 2002-06-05
Posts: 36
Loc: Derby, UK
|
Howdy pardners.
We have rolled out Windows 2000 onto all our desktop PCs over the summer but still have NT4 on the server end. As such, when it comes to rolling out security updates and so forth I've been unable to use SMS and other Microsoft systems to apply the updates. Instead, I've created my own automatic update system.
Basically there's a share on one of our servers called PATCHES which contains a folder ("AVAILABLE") in which the patch EXE files are stored. There's also a file called INDEX.TXT which contains an index of the patches that are available for the system to install.
The index file uses three lines per patch. The first line is an English description of the patch. The second line is the name of the EXE file and the third line is the name of the EXE file again but with the commandline switches that need to be used in order to apply the patch in unattended or hands-free mode.
It seems to work wonderfully - I'm very happy with it. However, there is one problem that I just can't seem to get sorted.....
Staff here run as Power Users on their PCs. The patches need to be installed using an account with Administrator rights. The RUNAS command in Win2K doesn't allow you to pass it a password for some god-known reason. Therefore I managed to track down a VBS script called VBRUNAS.VBS which allows you to get round this limitation.
VBRUNAS seems to work by calling the RUNAS command in the standard way and then sending the password to the commandline afterwards.
The problem is that every now and then, VBRUNAS doesn't manage to pass the password through properly, and RUNAS prompts for a password. Obviously this isn't good as I don't want people having to type in a password in order for their PC to be updated!
I am pretty sure that the problem does not lie with VBRUNAS as I have 100% success with using it "standalone" rather than being called from KIX.
My KIX script, InstallPatches.Kix is copied below.
code:
; install windows 2000 patches break on ? "Windows 2000 automated patch installer" ? "by T.Wiser" ? ""
; open the text file that contains the list of patches that are available for installing if Open(1, "\\nts40bdc\Patches\Index.txt") = 0 ; file opened ok else $response = MESSAGEBOX("Your PC could not be updated at this time.", "Software update", 32) endif
While @ERROR = 0 ; we're not at the end of the file yet, so read a new patch from the file $description = ReadLine(1) $filename = ReadLine(1) $actual_filename = ReadLine(1)
if $description<>"" if exist("c:\winnt\RolledOutPatches\"+$filename) ? " * Patch $filename is already installed" else ? " * New patch available! Installing "+$filename+CHR(13)+CHR(13)+CHR(13) copy "\\nts40bdc\patches\available\"+$filename "%WINDIR%\RolledOutPatches\"+$filename ; this bit of code writes the complete command into a batch file stored inside %TEMP% and then executes it $finalCommand = "cscript c:\winnt\VBRUNAS.VBS DOMAIN\account password "+CHR(34)+"C:\WINNT\ROLLEDOUTPATCHES\"+$actual_filename+CHR(34) if exist("%TEMP%\ApplyPatch.bat") del "%TEMP%\ApplyPatch.bat" endif OPEN(5, "%TEMP%\ApplyPatch.bat", 5) WRITELINE(5, $finalCommand) CLOSE(5) shell("%TEMP%\ApplyPatch.bat") ; and now terminate the script GOSUB Terminate Exit 1 endif endif Loop
:Terminate
; close the file as we're finished with it now If Close(1) = 0 ; file closed successfully else ? "Could not close file" endif
Can anyone (a) work out what I'm trying to say, and (b) see anything that could cause a problem? [ 24. October 2003, 10:05: Message edited by: Mit ]
|
Top
|
|
|
|
#77225 - 2003-10-24 10:33 AM
Re: Automated patch update system in KiX
|
Mit
Fresh Scripter
Registered: 2002-06-05
Posts: 36
Loc: Derby, UK
|
Mmmm.... I've just put that in and tests are going OK so far. Fingers crossed! Thanks.
Can you elaborate on the errors please? [ 24. October 2003, 11:06: Message edited by: Mit ]
|
Top
|
|
|
|
#77226 - 2003-10-24 11:17 AM
Re: Automated patch update system in KiX
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
There are many logic and structural errors which mean that the code will not execute as you expect it to.
You mix "C:\WINNT.." and %WINDIR%, you use "Gosub" in a very odd manner, your main file reading loop is badly constructed, you are not checking for errors in all places that you should be, you are closing a file on which the open may have failed.
I've cleaned it up a bit but there are still some major areas you need to address to make this production quality which I'll mention after the listing.
Note, I cannot test this here, so I'll apologise in advance for any typos:
; install windows 2000 patches Break ON ? "Windows 2000 automated patch installer" ? "by T.Wiser" ? "" $sDQ='"' $sSQ="'" $sServer="\\nts40bdc" $sPatchList=$sServer+"\Patches\Index.txt" $sPatchSrcDir=$sServer+"\Patches\available\" $sPatchDstDir=%WINDIR%+"\RolledOutPatches\" $sRunAs=%COMSPEC%+" /C cscript c:\winnt\VBRUNAS.VBS" $sAccount="DOMAIN\account" $sPassword="password"
; open the text file that contains the list of patches that are available for installing $fhPatchFile=FreeFileHandle() If Open($fhPatchFile,$sPatchList) $gNull=MessageBox("Your PC could not be updated at this time.", "Software update", 32) Exit 1 EndIf
; Consider changing this to a single delimited line and using Split() $sDescription = ReadLine($fhPatchFile) $sFilename = ReadLine($fhPatchFile) $sActualFilename = ReadLine($fhPatchFile) While @ERROR = 0 If $sDescription If Exist($sPatchDstDir+$sFilename) ? " * Patch "+$sFilename+" is already installed" Else ? " * New patch available! Installing "+$sFilename+@CRLF+@CRLF+@CRLF Copy $sPatchSrcDir+$sFilename $sPatchDstDir+$sFilename Shell $sRunAs+" "+$sAccount+" "+$sPassword+" "+$sDQ+$sPatchDstDir+$sActualFilename+$sDQ EndIf EndIf $sDescription = ReadLine($fhPatchFile) $sFilename = ReadLine($fhPatchFile) $sActualFilename = ReadLine($fhPatchFile) Loop
; close the file as we're finished with it now If Close($fhPatchFile) ? "Could not close file" endif
Exit 0
|
Right, what is left to do.
- Set "Explicit" on, and dim all your variables
- I'd change the input file format. Use a single line for the patch, using a delimiter to split the parts. Use Split() to break them out.
- I couldn't understand the logic of the two different file names. You use "actual filename" only in the execution, not the copy or check. This is illogical and will cause you problems when "filename" and "actual filename" differ.
I've left the names as they were, but you should review this and correct it. - You don't check that the copy completed successfully
- You don't check that the patch worked or completed.
- The patch could be copied to local, and aborted by the user. Now that the file is present, the process will not attempt to run the patch again. Consider using a local status file (INI format) to record the state of the patch, and only mark the patch install as completed when it has completed successfully. Also consider checking the registry for patch levels
There are other, quite mature systems already available on the board for rolling out patches. Consider using these (KSMS spring to mind) as they are pretty robust, and include techniques which avoid the possibility of exposing passwords.
|
Top
|
|
|
|
#77227 - 2003-10-24 11:33 AM
Re: Automated patch update system in KiX
|
Mit
Fresh Scripter
Registered: 2002-06-05
Posts: 36
Loc: Derby, UK
|
the two different filenames is a hang-over from when i was trying to sort the problem out last time. i know there's no error checking - i wanted to get the script up and running in a simple form before adding the checking.
Thanks for the tips though, and I'll take a look at KSMS
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 557 anonymous users online.
|
|
|