RayM

hey Bilou_Gateux That's good feedback. Thanks. I've used two different MSSecure.XML files. I've used each with the free version of HFNetChk and MBSA with the /hf switch. I get different results every single time. I need to set it aside for a while and look at it later with fresh eyes. For now, I'm "resting" by playing with slipstreaming SP2 into XP Pro. I'm also reading through the other forums here. A lot of material. I'll post back when I get something sorted out. Thanks again for the feedback.

Ok. Thanks for the tip about DPCABS (what does that do?) EDIT: Ok. I just ran MBSA and read around. Both programs are by Shavlik Technologies. Both use MSSecure.xml -- but the one that MBSA is using is from Oct. 21st and the one HFNetChk is using is from Oct. 20th. Maybe that accounts for the difference. I'm not sure. I have to read a little more to see exactly what MBSA checks (ie, checksums, version numbers or what). Anyhow, MBSA says I'm in good shape -- except for a few minor issues. </EDIT> I don't know exactly the differencs between HFNetChk and MBSA. I've also used MBSA and been happy with it. It gave a lot of information over a wide range of areas. HFNetChk is a command-line tool and has a bunch of switches. The -b switch claims to check "status of hotfixes required to meet baseline security standards". Note that this only refers to hotfixes, and MBSA checks a lot of other areas as well (like accounts, permissions, services etc...). HFNetChk uses an XML file called mssecure.cab. This file comes from MS, but Shavlik hosts a copy. The file that I'm using was last updated October 20th. HFNetChk checks version numbers and checksums of the files affected by the hotfix (mostly dlls). I'd be curious to know what results you get if you run HFNetChk on a recently XPCREATEd CD of W2K Server. (It's a very small download and only takes a minute to run.) I'd also be curious to see the hotfix list that gave the results. Thanks for the feedback. I'm going to run MBSA and see what it says. I'm also going to check MS's site for a more recent version of mssecure.cab

Thanks for the feedback GM. (And thanks for sharing your work!) Any idea when the new version will be out? Do you at least have a new patchlist for W2K Server? When you say that you install W2K Servers with all the latest updates, do you mean with integrated hotfixes or updating after the install? Do you use HFNetChk? If so, does it show no missing patches or warnings? I'm thinking that the master list that HFNetChk checks against is out of date (since it looks for KB834707 instead of KB873377 ,which superseded it ... and also some version numbers that were reported as too high). I can't get HFNetChk to give a clean report. Maybe if I went back to a clean install and applied all the patches sequentially (ie, 834707 and then 873377), but that's a real PITA. Of the five or so patches that HFNetChk reports as not being installed, four of them still fail to show up after trying to manually apply them. This doesn't surprise me if their patchlist is out of date -- but the one patch that is included in my XPCREATE CD which still needs to be applied manually in order to be recognized by HFNetChk (KB840987) still puzzles me. I'm able to get everything to look fine (according to WUpdate) by installing the last patch or two by hand. In my first couple of posts I was only concerned with getting these last patches integrated into my XPCREATE CD. Now that I've been checking with HFNetChk I'm getting confused again. I'm all set up fpr testing, which I don't mind doing. The thing is that my system is old and slow. It takes over an hour to run XPCREATE. The bottleneck (for me) is in the DRIVERS.CAB compression. Just curious, does the compression routine for the CAB files allow switches so one can optimize for speed or size? If so, it might be an easy thing to add a line to the XPCREATE.INI file to allow people with slow machines to optimze compression for speed.

I'm still working on the W2K Server hotfixes. Following bilou_gateux's advice, I've been using HFNetChk. I use XPCREATE to make an updated, patched W2K CD. (The hotfixes I use are listed a few posts back.) I run WUpdate. WUpdate shows I'm missing 2 critical updates. No surprise there. Then I run HFNetChk and it surprises me. It tells me that the folloing patches were not applied: Q329115 (Hey wait. I thought I installed this!) Q833330 (Blaster clean. I didn't install this. No surprise) Q840987 (I thought this was installed too!) Q841356 (This was intentionally omitted.) Q834707 (I didn't install this. I think it was superseded by 873377) Q329414 (Hmm. How come WUpdate didn't flag this?) Warnings: Q823353 (I thought I applied this!) Q828026 (This too.) Next, I tried to install a few of these manually. Q329115 Still shows up as not installed. Q840987 This one gets fixed when applied manually. Q823353 This still gives a warning. Q828026 Still gives a warning. Q329115 and Q329414 complain of invalid checksums The others are wrong versions. Q841356 has a lower version than expected. The others have *higher* versions than expected. Maybe this is because the list that HFNetChk is using is outdated. Is anyone else getting results like this? Is anyone else checking their patches? Thanks for reading.

Thanks for the reply bilou_gateux. 1. (about the GDI+ detection tool.) OK. That's what I thought. Still, there will need to be a better tool for this, because so many apps keep a copy of the vulnerable dll in their working dir. Anyhow, WRT XPCREATE, all is good. 2. (about IE5.5SP2) Ok. Good. That's what I was thinking I would have to do. I have most of the appropriate service packs and hotfixes around here somewhere. I never intended to use IE6, it just happened because that's what was on GreenMachine's list. I almost never use IE anyway -- only for checking page rendering and such. 3. (about DirectX) Ok. Good. I'll probably do the same. 4. (About HFNetChk by Shavlik) I used to use that, but I stopped. I forget what it was that I didn't like. Maybe they required ActiveX or something like that. OK, I'll try it again while I'm working on the hotfixes. Any idea what it checks (exactly)? I mean, does it check versions and MD5s of the dll's, vxd'x and ocx's (for instance) ... or does it just look for some flag or regkey that says that the hotfix has been applied? Gee, I just checked the HFNetChk site. Maybe I'm thinking of something else, but the program I remember was much bigger (like 20MB). Is this going to give me anything that Windows Update won't? Would I be better off using the Baseline Security Analyzer? Gee, weirder. On a clean install the program says that it detects a previously installed version. I wonder what's up with that. Hmm... It gets worse. The good news is that I have answered one of my questions. It looks like Windows Update makes a very simplistic check of installed hotfixes and patches. Windows Update still shows the same two critical updates. Also HFNetChk does look at version numbers and checksums. That's good. They use a file that they get from Microsoft. That's good. Tht file was last updated October 20th. That's not so good. The worse part is that HFNetChk indicats that several patches on my system have not been installed -- patches which Windows Update thinks are installed, and which were integrated with XPCREATE. Some of them are due to wrong version numbers. I can understand that, considering that their list is a little old. The disturbing part is that a few files have the right version number, but the wrong checksum. Most disturbing in this category is kernel32.dll. Yikes!! Running HFNetChk -vv (Very Verbose) shows that this could be very bad. I would expect that if a dll changed (thus changing the checksum) that the version number would change too. Does anyone know if it every happens that they change a dll and they don't change the version number? You tip to check out HFNetChk was good. BTW, HFNetChk -b (baseline) seemed good. Your post (with all of the download links and MD5s) was really good. It will save some people a lot of time. (Unfortunately, I had already downloaded everything manually before you posted.) Anyway, I have found your contributions to be very valuable. Thanks. Any idea about KB841356 ?

Hey Bilou_Gateux, that's great. I haven't been adding DX9. My computers are old (K6-III, 400MHz, 512MB RAM). I'm wondering if my system has enough oomph for DX9, or maybe I'm better off with DX7. My graphics cards are pretty old and basic too. I'd like to know what people think. (Besides "get a new system".) Is DX9 going to bloat my little system?

(A quick note at the top, for what it's worth. DXDIAG.EXE works fine for me.) Hey all. I've been through this a number of times, so I'll share my results with the hope that they may be useful to someone else. Thanks GreenMachine for the nice tool. It's a real time-saver. This turned out to be a pretty long post. I know that the regulars here don't need all of this detail, but I was thinking of any newby who might be struggling with the same things. I posted here instead of in a new thread because it seemed to belong here. (1) I'm using Windows 2000 Server SP4. For now I'm using IE6SP1, but I may go back to IE5.5SP2. I have done hotfix integration manually, and it was a real PITA. I found XPCREATE in September, and it worked great first time. Then all those new patches came out in October and everything got messed up again. (2) Since GreenMachine's update list is not current and/or is offline (at least, the last time I checked) I did a clean install and then went to Windows Update to see what I needed. I downloaded everything manually and put them in what I imagined to be the correct folders (SVC-???). Then I ran XPCREATE and let it do its stuff (DLAUTO=NO). Then I did a fresh install with the ISO that XPCREATE made. Then I went to Windows Update again and found a bunch of new things that were missing. I repeated this cycle until I had a list of updates that leaves me missing two. I don't know how to resolve these two, and I'm hoping for a little help here. The following list of updates will (to the best of my knowledge) patch a Windows2000 Server system with the exception of two critical updates: KB873374 KB841356. (Also note, I do not update DirectX and I do not add Journal Viewer.) KB873374 is the GDI+ detection tool. Although this shows up as a critical update, and is potentially a serious problem, it does not seem to be a "patch" as such. KB841356 seems (from reading this forum) to be giving others problems. I was going to wait until MS recognizes that there's a problem with this and patches their patch. With the exception of those two, the following list gives me a patched system. All of this was done independently of (but compared against) bilou_gateaux's very useful list earlier in this thread. For ease of reading, I've only listed the KB numbers. I have (rather inconsistently) changed the names as suggested elsewhere in the forum (ie, 8.3 names except for Type 1 hotfixes). I'll explain the asterisks and the numbers in parenteses after. SVC-DAH: Q832483 * SVC-HF1: KB873388 (22) Q818043 * KB329115 (5) KB820888 * KB822831 * KB823182 * KB823559 * KB824105 (6) KB825119 (7) KB826232 (8) KB828035 (9) KB828741 (10) KB828749 (11) KB835732 (12) KB837001 (13) KB839643 (14) KB839645 (15) KB840315 (16) KB840987 (17) KB841533 (18) KB841872 (19) KB841873 (20) KB842526 (21) KB837272 (23) KB828026 (24) SVC-HF2: js56nene * KB833989 (3) KB867801 * KB870669 (2) rootsupd * SVC-MSX KB867460 (1) SVC-POS KB823353 (4) SVC-PRE IE6SP1 ** IESTART ** SVC-QCH Q815062 ** SVC-WMP MPSetup ** SVC-X2M DOTNETF ** After the install completes, I look in Add/Remove programs. The numbers in parentheses show which item in the Add/Remove programs list the hotfix is. An asterisk indicates that the hotfix did not appear in the Add/Remove programs list. Two asterisks indicate that although the item did not appear in the Add/Remove programs list, I could by other means (like running the program) verify that the item had installed. ?? How can I tell if the asterisked hotfixes have been applied or not? The fact that a hotfix doesn't show up on the Add/Remove list doesn't necessarily mean that it wasn't applied. It might have been superseded. It might be a hotfix that can't be removed. Or ... maybe it wasn't applied successfully. ?? In fact, how can I tell if any hotfix has definitively been applied? I mean, isn't it possible that a registry entry (for instance) has been changed to indicate the presence of a hotfix when in fact the hotfix hasn't been applied? ?? Another question, and I apologize if I've missed this while reading through hundreds of posts at MSFN -- can someone spell out the differences between a Type 1, Type 2 and the various other types of hotfixes? A link to the relevant thread would be enough. OK, finally, a few problems I had. First off, I had inconsistent results at first. It was my fault, but since others may have similar problems I'm going to mention it as something to watch out for. There were a number of different reasons for my inconsistent results. One problem was lack of patience. Sometimes the process would seem to hang. I noticed (and later read in the forum) that pressing "y" or the space bar would answer some hidden question and get the process going. Maybe in my impatience, I hit too many "y"'s and something got skipped over. Anyhow, I've learned to be more patient, hit a "y" only once and wait a while and to check for minimized command prompt windows. Another problem was a "dirty workspace". This means doing XPCREATE in a folder where I had done XPCREATE before. I don't know why this would make a difference, and maybe it's just my imagination -- but I've become superstitious. Now I start with a newly created folder. Then I run XPCREATE once to create all of the working folders. Then I copy my Win2K-S (SP1 slipstreamed) CD to the CD source. I put SP4 in SPACKS (or, I use a slipstreamed Win2K-SP4 as my CDSOURCE). Then I put the XPCTBOOT.BIN in the BOOT folder. All of this is my "Master" folder. I only work on copies of that. I fact, I only work on copies of copies of that. I'll make a copy and call it XPCREATE##, and then I load it up with all of the hotfixes that I think are appropriate. Then I copy that whole bunch of stuff to a new folder called TEST##. Then I run XPCREATE on TEST##. I use these two folders, XPCREATE## and TEST## because I don't know what changes XPCREATE might make to the original, and this way I can try to track what's happening. Then I do a clean install from the newly created ISO and check the results. For the next iteration, I go back to the "Master" folder, make a new copy (incrementing the number ie XPCREATE02), try the hotfixes a different way, make another copy (ie TEST02) and on and on. Another problem may have been having too many (or interfering) hotfixes. At some point, I was using all of the hotfixes for September together with all of the new hotfixes. Maybe there were some conflicts, I don't know. Maybe it was just this KB841356 that seems to be causing problems. OK. Sorry this was so long. I hope all of the details could be useful to someone.

Excellent. Thank you. Too bad it's an Excel spreadsheet. (That's what .xls is, isn't it?) I think a browsable XML doc would be a better choice ... but then who am I to complain about the nice work that Gary is freely sharing with us.