Installing Updates From Local Disk

[ahab]

OK... so at work we've got a lot of computers, and not a lot of bandwidth. I've been doing various forms of this, but this is the first time that I've felt that it is publicly distributable. This is meant to be carried around on a CD and to be used on any Windows XP machine with SP2 installed.

What it does: Creates a system restore point. Turns off system restore to prevent each update from doing it individually. Checks if the updates are installed (checks for log files or an install folder) skips the update if it is installed and installs the update if it is lacking. Then it turns system restore back on.

First off we've got the main batch file. Call this whatever you want, it just has to end in .bat

@ECHO off
GOTO START

@author ahab
@version 4/15/5

:START

SET /A NUMOFUPDATES=0

ECHO Creating a System Restore point
createrestorepoint.vbs
NET STOP srservice

ECHO .NET Framework
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFRAMEWORK" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	dotnetfx /q:a /c:"install /q"
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB867460 .NET Framework 1.1 Service Pack 1
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\.NETFramework\1.1\S867460" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	NDP1.1sp1-KB867460-X86.exe /q
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB886903 ASP.NET path validation vulnerability in Microsoft .NET
ECHO Framework 1.1 Service Pack 1
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\.NETFramework\1.1\M886903" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	NDP1.1sp1-KB886903-X86.exe /q
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB890830-V1.3 Microsoft Windows Malicious Software Removal Tool V1.3
REG QUERY "HKLM\SOFTWARE\Microsoft\RemovalTools\MRT" /v "Version" | FIND "D89EBFD1-262C-4990-9927-5185FED1F261" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	Windows-KB890830-V1.3-ENU.exe /q
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB873333 Vulnerability in OLE and COM could allow remote code execution
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB873333" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB873333-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB873339 Vulnerability in HyperTerminal could allow code execution
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB873339" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB873339-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB873374 Microsoft GDI+ Detection Tool
REM The following will just make it seem like it has been run
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\GdiDetectionTool" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	REG ADD "HKLM\SOFTWARE\Microsoft\GdiDetectionTool" /v "GDITool" /t REG_DWORD /d "00000001" /f > nul 2>&1
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB885250 Vulnerability in server message block could
ECHO allow remote code execution
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885250" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB885250-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB885835 Vulnerabilities in Windows Kernel and LSASS could allow
ECHO elevation of privilege
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885835" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB885835-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB885836 A vulnerability in WordPad could allow code execution
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885836" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB885836-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB886185 Critical Update for Windows XP
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB886185" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB886185-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB887472 Security update to Microsoft Windows Messenger
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB887472" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB887472-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB887742 Security update to Microsoft Windows Messenger
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB887742" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB887742-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB887797 Cumulative Update for Outlook Express for Windows XP
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB887797" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB887797-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB888113 Vulnerability in hyperlink object library could allow remote code
ECHO execution
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB888113" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB888113-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB888302 Vulnerability in Windows could allow information disclosure
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB888302" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB888302-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB890175 Vulnerability in HTML Help could allow code execution
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB890175" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB890175-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB890859 Security Update for Windows XP
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB890859" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB890859-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB890923 Cumulative Security Update for Internet Explorer
	REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB890923" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB890923-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB891781 Vulnerability in the DHTML editing component ActiveX control could
ECHO allow code execution
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB891781" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB891781-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB893066 Security Update for Windows XP
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB893066" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB893066-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB893086 Security Update for Windows XP
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB893086" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsXP-KB893086-x86-enu.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

ECHO KB893803 Microsoft Windows Installer 3.1
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB893803" > nul 2>&1
IF %ERRORLEVEL% EQU 0 (
	ECHO is already installed
) ELSE (
	ECHO Installing...
	WindowsInstaller-KB893803-x86.exe /quiet /norestart
	SET /A NUMOFUPDATES+=1
	ECHO Installation complete.
)

NET START srservice

ECHO The updater script has completed. %NUMOFUPDATES% installed.
IF %NUMOFUPDATES% GTR 0 ECHO A reboot is reccomended.
PAUSE

You probably noticed createrestorepoint.vbs. Thats a visual basic script that does what it says... the following goes into that file

'Unattended System Restore Point
'sysrestorepoint.vbs
'© Doug Knox - rev 02/11/2002
'Downloaded from www.dougknox.com 
'Extracted from original code by Bill James - www.billsway.com
'Modified even more by ahab

Set sr = getobject("winmgmts:\\.\root\default:Systemrestore")

If (sr.createrestorepoint("Updater Restore Point", 0, 100)) <> 0 Then
    MsgBox "Restore Point creation Failed!"
End If

A lot of help from HOTFIXES: Win2000 SP4 – WinXP SP1 – WinXP SP2.

And here are the links to download all the updates:

KB891781

KB890830 1.2

KB890175

KB890047

KB888302

KB888113

KB887797

KB887742

KB887472 KB886903

KB886185

KB885836

KB885835

KB885250

KB873374

KB873339

KB873333 KB867460

KB867282

.NET Framework Version 1.1

For future refrence here are the updates that actually make a restore point: KB891781, KB890175, KB888302, KB888113, KB887797, KB887472 (last known accurate 3/8/5)

And the scripts that I have posted above are attached in a .zip file. Just Extract the .zip file and download all the updates to the directory that the scripts are in, run the .bat and you're set.

It does not include WMP 10. I know this. I might add that in the future... but not now.

Changelog:

3/6/5 - Fist major release

3/8/5 - Added malicious software removal 1.2, and removed anything that refrenced .net as anything besides the 1.1 install was broken. I'll try and add that later... but its not needed right now. The .NET package included these three:.NET Framework Version 1.1 KB867460 KB886903. I also added a bit in the malicious software detection from this post. I want that to actually run, unlike the GDI+ detection tool. You can change that by just putting REM infront of what you want to don't want to run.

3/13/5 See This post

Comments? Concerns? Sarcastic remarks?

Updates.zip

[ahab]

*bump* for a revision in the updates.

Anyone know how to do quiet installs of the .NET hotfixes? I know the .NET 1.0 framework takes:

dotnetfx.exe /q:a /c:"install /q

I've searched for the others and tried /? with no luck.

[Takeshi]

I'm puzzled by two points.

If you create a SR point and then turn off SR, it will delete all the SR points.

Also, the reg files edit the HKLM keys and normally this would require a reboot to take effect.

Also, wouldn't it be better for the script to check for update entries directly in the registry, rather than the logs, as I delete the logs myself periodically?

[ahab]

I will double check that about system restore in the next few days.

I would much rather check the registry, but.... can't do that with the REG command (it can only compare what is actually in the registry) and regedit can only import or export reg keys. I could export a key, then compare it to a file but I'd rather not take that setp. (The Windows registry is not a strongpoint of mine). You might see this page.

I *could* check for uninstall information instead.

[Takeshi]

That website doesn't mention Reg query but it surely exists in Windows XP and seems to do what I have in mind.

WSH RegRead also does similar via VBS or JS.

If the end-users don't delete the log files (or the Uninstall folders) then your script should do it. I'm just trying to find the best or most professional way to do it.

KB890830-V1.2 is now v1.3.

After installing the last update, a restart is required.

[jondercik]

why not just use SUS or sms?

[ahab]

why not just use SUS or sms?

<{POST_SNAPBACK}>

with the network situation at work it probably took less time to write this script than to deploy either one of those.

[jondercik]

True, but those products can insure total network compliance with future patches without having to go computer to computer.

[ahab]

SUS or SMS would be prefered, believe me. Just not a possibility right now

WSH RegRead also does similar via VBS or JS.

I'm not too keen on getting that deep into windows scripting.

If the end-users don't delete the log files (or the Uninstall folders) then your script should do it. I'm just trying to find the best or most professional way to do it.

I wouldn't consider this really professional or anything, more or less a tool that I've found works well for what I want to do and figured I'd share. Any ideas for improving it that aren't too hard to code are welcome.

KB890830-V1.2 is now v1.3.

I'm only finding 1.2 (from March 8th) on MS's website.

After installing the last update, a restart is required.

Woo... rebooting after all this is done is something that I'd like to implement, but batch has its limitations and can't do that very pretty...

I suppose I should add

ECHO A reboot is strongly reccomended.
PAUSE

To the end of it.

Any other suggestions?

[ahab]

That website doesn't mention Reg query but it surely exists in Windows XP and seems to do what I have in mind.

Reg query is in WinXP... hmm... I only looked at the actual output of it, not the errorlevel that it would return, I suppose that would work. I'm thinking have it take the registry key, output it to a file. If the registry key is not there, the errorlevel is 1 and the following can be easily modified to install it

@ECHO off
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB834707" %TEMP%check.reg
if %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\DOESNOTEXIST" %TEMP%check.reg
if %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)

course at the end of the batch file this check.reg would be deleted

I would use REG QUERY except it likes to display a lot of text that makes things ugly.

[Takeshi]

Yes you're right about KB890830 v1.2.

Reg query can be used with %ERRORLEVEL% in a bat script without having to output anything in text (add >nul).

[ahab]

@ECHO OFF
REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB834707" > nul 2>&1
if %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\DOESNOTEXIST" > nul 2>&1
if %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)

Just plain > nul would still spit out Error: The system was not able... if it was not able to find the registry key, hence the 2>&1. Seems to be the neatest way to do it. When I was working with REG EXPORT I was wanting to send it to /dev/null but didn't know of the windows equivalent.

That'll make things muuuch neater. Thanks Takeshi.

[ahab]

Now counts the number of updates that have been installed and tells you at the end.

The .NET framework and all updates are back in. .NET Framework Version 1.1, KB867460, KB886903

Updates to note:

- KB890830-V1.2 - This version stores its version as "F8327EEF-52AA-439A-9950-CE33CF0D4FDD". The script takes the ouput from REG QUERY and finds the "F832..." string in it. You can skip this update altogether, see this post

- I'm still not running the GDI detection tool, it does check to see if the registry value is there though.

Before I posted it here I didn't check if the update was already installed. Then I checked for a logfile of its install with "IF EXIST C:\WINDOWS\KB834707.log" Log files aren't always there, so at Takeshi's suggestion I started checking the registry.

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB834707" %TEMP%check.reg
if %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)

Thats not the most elegant, so again at Takeshi's suggestion I moved onto

REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB834707" > nul 2>&1
if %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)

I'd consider that nice & neat code.

Originally I turned off the System Restore Service and disabled System Restore in the registry. Didn't need to do both to prevent each update from making their own restore points. "REGEDIT /S sroff.reg" was ran before system restore service was stopped. "REGEDIT /S sron.reg" was ran before the service was started again, but after all the updates. This is sroff.reg:

Windows Registry Editor Version 5.00
;disable system restore
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Start"=dword:00000004

and this is sron.reg

Windows Registry Editor Version 5.00
;enable system restore
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]
"Start"=dword:00000000

If you really want to use these .reg files (I see no reason to) you could modify the script accordingly.

Also changed the name of the restore point from "Automatic Restore Point" to "Updater Restore Point". Also, when you turn of the system restore service it does not delete the previous restore points. Good God you should see how many restore points my poor test install has.

[Takeshi]

I'm still a bit puzzled by this.

When you turn off SR service via regedit, it won't do anything until you reboot the computer, because it writes to the HKLM key and this normally requires a reboot to take effect.

So when you turn it off and on with regedit in the same session, nothing should have happened.

I think you would normally use the net stop and net start command to stop and start services with immediate effect!

Coming back to the bat file, you can further simplify it by using HKLM or set it as variable, if you like.

[Takeshi]

I've just tested your reg files.

It does seem to do what you said, but rather strangely, when going to services.msc, it has no effect on the status (i.e. it still says Started and Automatic after applying the sroff.reg)!