Page 1 of 1 1
Topic Options
#211534 - 2016-05-25 04:24 PM checking installed patches
BradV Offline
Seasoned Scripter
****

Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
Five years ago, I was working on a function to check for installed patches: GetAllPatches I was recently made the administrator of 6 Windows servers. Five are Windows 2003 R2, 32 bit and the last one is a Windows 2008, 64 bit. No one has patched these for years. The developers are afraid because they think patching will break their application. I have a large list of mandatory patches I am trying to check for. From two of the 2003 servers, I just don't get any results. From the 2008 server, I get that it does not seem to be running automatic updates, but I think it is. At least the group policy shows that it is. I create an ini file with the server names:
 Code:
[computers]
comp1=server1
comp2=server2
and another ini file with the required patches:
 Code:
[patch]
patch1=KB2655992
patch2=KB2691442
and then called my function with:
 Code:
Break On
Dim $SO
;
$SO = SetOpt('Explicit',          'On')
$SO = SetOpt('NoMacrosInStrings', 'On')
;
DIM $strWks, $strFile, $arrPatches[5,0], $intI
DIM $strComps, $strPatch, $colComps, $objComp, $colPatchs, $objPatch, $strPatchID
DIM $intErr, $binStatus
;
include "functions.kix"
;
$strFile  = "c:\temp\patch_compliance.ini"
$strComps = "c:\temp\computers.ini"
$strPatch = "c:\temp\patch.ini"
;
$colComps = Split(ReadProfileString($strComps,"computers",""),chr(10))
$colPatch = Split(ReadProfileString($strPatch,"patch",""),chr(10))
;
; If the patch report file exists, delete it to get a fresh copy.
;
If Exist($strFile)
   Del $strFile
   ? "Deleted the old patch report file."
EndIf
;
For Each $objComp in $colComps
   If $objComp <> ""
      $strWks - ReadProfileString($strComps,"computers",$objComp)
      ? "Checking patches on: " + $strWks
      ; First check to see if the automatic update service is running.
      If CheckAutoUpdate($strWks) = 0
         $arrPatches = GetAllPatches($strWks)
         If Ubound($arrPatches,2) > 0
            ; Check each patch we are interested in against the list of returned patches.
            For Each $objPatch in $colPatchs
               If $objPatch <> ""
                  $strPatchID = ReadProfileString($strPatch,"patch",$objPatch)
                  ? "Checking for patch, " + $strPatchID
                  $binStatus = 0
                  For $intI = 1 to Ubound($arrPatches,2)
                     If Instr($arrPatches[0,$intI],$strPatchID)
                        $intErr = WriteProfileString($strFile,$strPatchID,$strWks,$arrPatches[4,$intI])
                        $binStatus = 1
                     Else
                        $intErr = WriteProfileString($strFile,$strPatchID,$strWks,"could not find this patch")
                     EndIf
                  Next
                  If $binStatus = 0
                     $intErr = WriteProfileString($strFile,$strPatchID,$strWks,"Not Installed")
                  EndIf
               EndIf
            Next
         Else
            ? "Did not receive results from " + $strWks
            $intErr = WriteProfileString($strFile,$strPatchID,$strWks,"Could not read from this system")
         EndIf
         ? "-----------------------------------------------"
      Else
         ? "Automatic updates does not seem to be running on " + $strWks
      EndIf
   EndIf
Next


Three servers work fine. Two others, I just don't get any results. For the Windows 2008 server, it says it is not running automatic updates. I thought it might be a problem trying to query a remote server, but I get the same results if I run it on the problem server. Any suggestions?

Top
#211535 - 2016-05-25 04:50 PM Re: checking installed patches [Re: BradV]
ShaneEP Moderator Offline
MM club member
*****

Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
There is a typo in this line
 Code:
$strWks - ReadProfileString($strComps,"computers",$objComp)
should be
 Code:
$strWks = ReadProfileString($strComps,"computers",$objComp)

But that's probably not the issue if it works on three of them.


Edited by ShaneEP (2016-05-25 04:51 PM)

Top
#211536 - 2016-05-25 04:56 PM Re: checking installed patches [Re: ShaneEP]
ShaneEP Moderator Offline
MM club member
*****

Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
Also remember that arrays are 0 based, so this
 Code:
If Ubound($arrPatches,2) > 0
Should probably be
 Code:
If Ubound($arrPatches,2) >= 0
In case there is only 1 in the list.

Same goes for this
 Code:
For $intI = 1 to Ubound($arrPatches,2)
should probably be
 Code:
For $intI = 0 to Ubound($arrPatches,2)
Otherwise you will miss the first in the list, unless your getallpatches is padding the first element or something weird.

Top
#211537 - 2016-05-25 05:08 PM Re: checking installed patches [Re: ShaneEP]
BradV Offline
Seasoned Scripter
****

Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
Hi Shane,

I have to retype. So, typos are quite probable. \:\)

The patch array 0 element has the titles. So, I'm not ignoring it, just use it to store the title (which I set even if nothing is found). So, the upper bound needs to be greater than 0. You are correct in that the GetAllPatches is padding the first element with something weird!

Top
#211538 - 2016-05-25 05:13 PM Re: checking installed patches [Re: BradV]
ShaneEP Moderator Offline
MM club member
*****

Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
Ahh gotcha. Just my first observations. It's probably not a code issue anyways if it works on some and not others. I'll let some of the guys that have done more server maintenance chime in.
Top
#211539 - 2016-05-25 07:39 PM Re: checking installed patches [Re: ShaneEP]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
They offered you an opportunity to manage 5 unsupported and one nearly unsupported server platforms - and you accepted??!?! \:D
_________________________
Actually I am a Rocket Scientist! \:D

Top
#211541 - 2016-05-26 12:54 AM Re: checking installed patches [Re: Glenn Barnas]
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
I would
_________________________
!

download KiXnet

Top
#211545 - 2016-05-26 04:15 PM Re: checking installed patches [Re: Lonkero]
BradV Offline
Seasoned Scripter
****

Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
I didn't have a choice and I told them I was going to get rid of them as soon as I could. Most of those servers are virtual servers under vmware on old hardware with no current maintenance contract. I have limited vmware experience. My plan is as soon as I can get them patched and re-accredited by corporate, is to move them to corporately supported OpenStack Windows 2012 servers.

So, I need to figure out the patching state on the three servers that aren't working. I guess I'll have to add some more debugging messages and see if I can figure out what is going on. \:\)

Top
#211546 - 2016-05-26 05:21 PM Re: checking installed patches [Re: BradV]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Old hardware... no maintenance.. this story just keeps getting better!

(believe me, we've ALL been there, done that!) \:D Just too good of an opportunity to tease ya to pass up!

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#211547 - 2016-05-26 05:25 PM Re: checking installed patches [Re: Glenn Barnas]
Glenn Barnas Administrator Offline
KiX Supporter
*****

Registered: 2003-01-28
Posts: 4396
Loc: New Jersey
Take a look at my fMsg() UDF so you don't add and remove lots of message code.

If you define a global $DEBUG and set it to a non-zero value, it can log some messages always and other only when debug is active. You can control if messages display on the console or only write to the log. I use it for almost all output, and often have dozens of messages with debug info in my code, all disappear when $DEBUG is 0. I even check the command line for "--d" to set $DEBUG to 1 so I can turn debug messages on dynamically.

Glenn
_________________________
Actually I am a Rocket Scientist! \:D

Top
#211548 - 2016-05-26 05:48 PM Re: checking installed patches [Re: Glenn Barnas]
BradV Offline
Seasoned Scripter
****

Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
I did something similar. Created a small function that tests if $DEBUG is true and then prints out the comments. So, that is getting me some more details, but nothing jumping out as a problem, except for some reason, when I run the $objSC.Run, I always get back "invalid number of parameters" even if it works. I'm trying to test if auto updates is enabled. I found some vbscript that starts with:
 Code:
Set objAutoUpdate = CreateObject("Microsoft.Update.AutoUpdate")
Set objSettings = objAutoUpdate.Settings
I'm not really sure how to put that in kix. Any suggestions?

Top
#211549 - 2016-05-26 06:43 PM Re: checking installed patches [Re: BradV]
ShaneEP Moderator Offline
MM club member
*****

Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
I found a script similar to this on the following link. Maybe it could help? It seems to detect my level correctly, but I don't have rights to change the settings to verify it works for all levels.
 Code:
$objAutoUpdate = CreateObject("Microsoft.Update.AutoUpdate")
$objSettings = $objAutoUpdate.Settings

$UpdateLevel = $objSettings.NotificationLevel

Select
   Case $UpdateLevel=0
      ? "Automatic Updates is not configured by the user or by a Group Policy administrator."
   Case $UpdateLevel=1
      ? "Never check for updates(not recommended)."
   Case $UpdateLevel=2
      ? "Automatic Updates prompts users to approve updates before downloading or installing."
   Case $UpdateLevel=3
      ? "Install updates automatically(recommended)."
   Case $UpdateLevel=4
      ? "Download updates but let me choose whether to install them."
   Case 1
      ? "Notification level could not be determined."
EndSelect

get $

https://www.zabbix.com/forum/archive/index.php/t-48968.html

Top
#211550 - 2016-05-26 06:52 PM Re: checking installed patches [Re: ShaneEP]
ShaneEP Moderator Offline
MM club member
*****

Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
Also this might work.
 Code:
$objAutoUpdate = CreateObject("Microsoft.Update.AutoUpdate")

$UpdateEnabled = $objAutoUpdate.ServiceEnabled

https://msdn.microsoft.com/en-us/library/windows/desktop/aa385821(v=vs.85).aspx

Top
#211551 - 2016-05-26 07:34 PM Re: checking installed patches [Re: ShaneEP]
BradV Offline
Seasoned Scripter
****

Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
That is the exact script I was trying to translate to kix. \:\)
Top
#211552 - 2016-05-27 02:37 PM Re: checking installed patches [Re: BradV]
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
Why we are looking at a script if you are only working with one server?
_________________________
!

download KiXnet

Top
#211553 - 2016-05-27 09:49 PM Re: checking installed patches [Re: Lonkero]
BradV Offline
Seasoned Scripter
****

Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
I have six servers to check and 5 years of patches on each. The script works on three, but not the other three for some unknown reason. When I get back to work next Tuesday, I'll keep putting in more debugging messages and see if I can't figure it out. \:\)
Top
#211554 - 2016-05-28 01:20 AM Re: checking installed patches [Re: BradV]
Lonkero Administrator Offline
KiX Master Guru
*****

Registered: 2001-06-05
Posts: 22346
Loc: OK
Well... I have 2003 servers that have a broken windows update. Just the way it is.

Since it's not being updated any longer anyways, it is in my mind pointless to even try to figure out
_________________________
!

download KiXnet

Top
#211559 - 2016-06-01 07:42 PM Re: checking installed patches [Re: Lonkero]
NTDOC Administrator Offline
Administrator
*****

Registered: 2000-07-28
Posts: 11623
Loc: CA
I still have about a dozen 2003 servers and all are up to date on patches but doesn't matter. New take-over company going to shut them all down within next few months. Welcome to the Microsoft Cloud... like it or not.
Top
#211654 - 2016-06-19 04:32 PM Re: checking installed patches [Re: BradV]
Jochen Administrator Offline
KiX Supporter
*****

Registered: 2000-03-17
Posts: 6380
Loc: Stuttgart, Germany
 Originally Posted By: BradV
No one has patched these for years. The developers are afraid because they think patching will break their application.


[Chekov] The strongest Reality Distortion field we have passed in years, Captain [/Chekov]
_________________________



Top
Page 1 of 1 1


Moderator:  Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 466 anonymous users online.
Newest Members
gespanntleuchten, DaveatAdvanced, Paulo_Alves, UsTaaa, xxJJxx
17864 Registered Users

Generated in 0.071 seconds in which 0.023 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org