Messing with Microsoft Update

[Glenn9999]

One thing I've been preoccupied with lately is figuring out Microsoft Update. Specifically (more or less), the following:

1) Can I automate and detect things offline? I got that done easily enough (WSUSSCN2.CAB). Don't know if you can script it, but I got a program written doing it.

2) Can I scan the service and then get URLs to download EXEs (and presumably MSU/MSI)? I think I got that one addressed (I wrote something, want to wait a Patch Tuesday or two to test it). This was my "neat little idea" in the statuses.

Now to stuff I'm not so sure about (and people have been somewhat unwilling to answer such questions on Microsoft's forums), but hopefully someone has some experience.

3) Can I get a list of all the patches required to fully patch a system from the ground up (e.g. make a patch list like what's in some of the forums here)? I'm thinking if you poll "IsInstalled=0" or "IsInstalled=1" along with both hidden and unhidden updates, that will work. The thing I'm unsure about is if you install a patch that supersedes something else, whether the old patch will roll off of this list or not.

4) Can I identify what the superseded patches themselves are? And with a little history can I map that to files on a drive/directory and identify files that can be safely deleted in a patch set? This is probably the most interesting set of data I'm finding in studying Microsoft/Windows Update - probably because I'm unsure of what to do with the data after getting it.

I notice each patch seems to be tagged with an update id which you can obtain and later query in a WU search. I also notice that some patches come with a superseded update id list. I'm thinking one could hold onto these values in a file and then walk the superseded ids backward and come up with the old patch KBs. I might have to try it when the next Patch Tuesday rolls around if no one knows for sure...

I didn't find any superseded ids in the original update id list, so I'm thinking this might hold the answer to #3.

5) And the big question I'm not sure is going to be possible: Can I scan for an OS and language that is not what I'm on? Probably not possible? I did figure out that I can scan for certain category ids and only get certain things back, but I don't know if that could be used? I know WSUS Offline does it by downloading WSUSSCN2.CAB, extracting it, and processing the XML, but I'm wondering if there can be a little more elegant way...

Anyway, thanks for reading this if you got this far. I know this comes off more as a blog post than anything else in parts, but thought someone might have some experience to provide some helpful comments or suggestions.

Edited October 25, 2010 by Glenn9999

[cluberti]

You can do basically all of this with the WUA APIs (except scan for patches for another language) - you can use them in script, powershell or C++ or C#. Given that Vista and Win7 are language-neutral, the last one shouldn't be a problem anyway.

I've got a few examples in a thread, here. It's vbscript, but it might give you an idea of how to do some of these. JCarle is the WUA API guy here, though, so it might be worth getting him to reply to this thread.

[Glenn9999]

You can do basically all of this with the WUA APIs (except scan for patches for another language) - you can use them in script, powershell or C++ or C#.

Actually what I've been doing is accessing Windows Update using the WUA API, and I can get any kind of data that I find documented. The problem is more what to do with some of the data after I get it to perform some useful things that seem to have not been done. That's really the problem - what does the data represent or how does the data change when a new patch occurs? Most of it is pretty straight forward, but there are a few that are pretty nebulous on inspection that Microsoft doesn't explain. I'm sure much will be answered for me regarding this post when I analyze the data I get back on a Patch Tuesday.

Of course the big issue I haven't figured out is how to scan for patches for a system that is not currently running (eg. scanning for "Windows XP" patches while on a Windows 7 system, or for "es" patches on an "en" system). I'm sure there has to be some way, though, since the data is there in the offline scanner file and WSUS Offline processes the XML in that CAB file.

Given that Vista and Win7 are language-neutral, the last one shouldn't be a problem anyway.

I'm not sure regarding how the data changes between the systems, though. I did get to try my update downloader (which works fully on XP) on a Windows 7 system and it ended up not working for some reason on Windows 7 patches. Meanwhile it did work when I downloaded the latest (Oct 2010) MSRT tool. This is one reason I haven't put it up for people to try - I'd like to know that it works on Vista and 7 and haven't gotten the development time yet to find out why it didn't work when I tried it.

[Glenn9999]

I notice each patch seems to be tagged with an update id which you can obtain and later query in a WU search. I also notice that some patches come with a superseded update id list.

I got around to writing something to analyze/list patch history on a computer and found some main update ids that were on superseded id lists on my Windows Update list. So I'm thinking this is a possibility and I'll have to analyze the data to see how useful it is. That's the odd thing I'm finding in listing everything to do with an update - some of the fields aren't even hardly used.

I'm not sure regarding how the data changes between the systems, though. I did get to try my update downloader (which works fully on XP) on a Windows 7 system and it ended up not working for some reason on Windows 7 patches.

I'm thinking from looking at my source closely this is probably going to end up a garden-variety bug. I changed/fixed it and am going to get to try it tomorrow. Hopefully it will work.

One more question from analyzing data that I didn't get a clear answer on from Google: From analyzing the data I got back, I found links to files with a PSF extension. I figure the CAB is something for the Windows Update Engine installer. I found references to WSUS when it came to the PSF extension, and when I looked at the file it seemed to be a binary file format, but didn't find much else. Is it only useful for that, and something that WSUS automatically pulls in? I know with most that frequent this site (myself included), the EXE is the only interesting file link, but I'm just wondering if the others present interesting downloads or not.

Update ID: 611b36f3-ad07-4872-bb34-c51b338e70c8
Title: Security Update for Windows XP (KB2279986)
Min Download Size: 270102
Download Size: 652160
File URLs:
0: http://download.windowsupdate.com/msdownload/update/software/secu/2010/09/windowsxp-kb2279986-x86-enu_94a7af17907c0ed6ef08abaa0bf41228ef0b3aff.exe
1: http://download.windowsupdate.com/msdownload/update/software/secu/2010/09/windowsxp-kb2279986-x86-express-enu_8d00c48e6be6a5553bd3da012430b8272f577543.cab
2: http://download.windowsupdate.com/msdownload/update/software/secu/2010/09/windowsxp-kb2279986-x86-enu_c84b7e12a38c944906802bd8892158efe4fb280a.psf

This has definitely been an interesting project so far.

Edited November 1, 2010 by Glenn9999

[Glenn9999]

I'm thinking from looking at my source closely this is probably going to end up a garden-variety bug. I changed/fixed it and am going to get to try it tomorrow. Hopefully it will work.

I decided to go ahead and put the update downloader from my original post point #2 online anyway. It's a test version, as the opening screen says. It works for me on Windows XP, and I'm not seeing any reason it shouldn't work elsewhere. If this seems useful to someone and it does work on other stuff that uses the Windows Update Agent, I can try to polish it up some more for general use.

(a little newer version, if anyone is interested in trying it out, by all means. Please let me know how well it works out.)

(pulled, working on a third alpha revision)

Description:

This program uses the online Windows Update facility to discover either installed or not installed patches on the system it is running on. Then it gives you the option to select and download those patches (EXE and hopefully MSU) to a specific directory.

Notes:

1) Windows Update sometimes packages multiple files in one patch listing. I wouldn't be surprised if you found no files at all in some cases.

2) The download part takes a SHA-1 hash of the file it downloads, and then compares it to the corresponding string on the EXE. You will see an error message if this doesn't match up.

3) Again, since it's test software, don't be surprised if you find problems that I didn't find in my testing.

HTH.

Edited December 15, 2010 by Glenn9999

[Glenn9999]

I don't know how many are interested (still or at all), but since I made the status update...

There's a query language that's associated with running a Windows Update search. You can have it use certain strings to have it bring back desires. What I said was that this query language doesn't support using OR as anything other than a top-level operator.

For example, if I want updates that are not hidden and updates that are not installed, I use

IsHidden=0 and IsInstalled=0

Now if I want it to just bring back all relevant updates that are not hidden, I can try

IsHidden=0 and (IsInstalled=0 or IsInstalled=1)

which is what works with most languages. The problem in this application, though, is that OR is only supported in the place the AND is and this query does not work.

So I have to do something like:

(IsHidden=0 and IsInstalled=0) or (IsHidden=0 and IsInstalled=1)

This is a simple example, but if you add in a number of other possible supported flags and options with the view of making a query writer, the queries get long and confusing fast.

Edited November 9, 2010 by Glenn9999

[hs2n]

One thing I've been preoccupied with lately is figuring out Microsoft Update. Specifically (more or less), the following:

1) Can I automate and detect things offline? I got that done easily enough (WSUSSCN2.CAB). Don't know if you can script it, but I got a program written doing it.

2) Can I scan the service and then get URLs to download EXEs (and presumably MSU/MSI)? I think I got that one addressed (I wrote something, want to wait a Patch Tuesday or two to test it). This was my "neat little idea" in the statuses.

Now to stuff I'm not so sure about (and people have been somewhat unwilling to answer such questions on Microsoft's forums), but hopefully someone has some experience.

3) Can I get a list of all the patches required to fully patch a system from the ground up (e.g. make a patch list like what's in some of the forums here)? I'm thinking if you poll "IsInstalled=0" or "IsInstalled=1" along with both hidden and unhidden updates, that will work. The thing I'm unsure about is if you install a patch that supersedes something else, whether the old patch will roll off of this list or not.

Maybe WuInstall (http://www.wuinstall.com) which is a command line tool which uses the Windows Update API (you might want to call it a "Windows Update API command line wrapper"), however it has some very nice features beyond this is helpful for you. On WuInstall.com you also find a documentation and a Howto. I think WuInstall can at least help you with point 1-3

ad 1) Try the /offline Switch of WuInstall - you can detect already installed updates with it

ad 2) Try the /download_to option

ad 3) WuInstall /search (if you want with a addtional criteria option for the query languate you mentioned, or just filter by product or text with the product, severity match etc. option)

Edited December 16, 2010 by hs2n

[Glenn9999]

Maybe WuInstall (http://www.wuinstall.com) which is a command line tool which uses the Windows Update API (you might want to call it a "Windows Update API command line wrapper"), however it has some very nice features beyond this is helpful for you. On WuInstall.com you also find a documentation and a Howto. I think WuInstall can at least help you with point 1-3

ad 1) Try the /offline Switch of WuInstall - you can detect already installed updates with it

ad 2) Try the /download_to option

ad 3) WuInstall /search (if you want with a addtional criteria option for the query languate you mentioned, or just filter by product or text with the product, severity match etc. option)

Sorry, I know you mean well, but part of this is me doing the coding to learn about Microsoft/Windows Update and what kind of information you can get out of it. Besides, I have most of a tool kit written to do just about anything that I could see as legitimate and reasonable in studying WUAPI. To that end, I answered most all of these questions well so far (and have working code) except #4 and #5, and I'm not sure that can be done since it seems a very limited amount of information is available in cross-referencing patches to other patches. #5 can't be done evidently at all since Microsoft crippled Windows Update to not allow queries against other operating systems and products than what is on the user machine (kinda bad if you want to download updates for your XP VM within Windows 7).

Current answers to the questions I posted in Post #1 of this thread.

1) As I said I have a program doing this, though it's slower than dogmeat. I may have to just crack the file and process the XML to get reasonable performance.

2) This is the patch downloader I reference in my status lines and posted for those that might want to try it (and answer me if it works on Vista and 7 right). I have it working on XP and it worked wonderfully the last two Patch Tuesdays but need to get it polished before I wide-release it.

3) I got this question mostly answered. Installed+Uninstalled returns a static patch list which seemed to be what was needed to bring the XP system I tested this on fully up to date. It doesn't return all the updates that WU would complain about on a virgin SP3 system. But this seems to work for a baseline if one wanted it, since I have noticed the older patches roll off the Installed+Uninstalled list.

4) I notice a LIMITED amount of information on superseded patches, the problem I haven't really been able to explore yet is how to take this information (update GUID) the rare times its presented and back-track it to Update KBs and file names. Since people could rename files, a downloaded update manager would have to keep track of what file names belong to what KB#. This would benefit by being able to dump the patch list, but there doesn't seem to be any way to do this other than process the XML.

5) Again Microsoft seems to cripple WU this way, so cracking the XML would be a requirement again. Probably won't, since what I have in #2 and #3 seem to work for mine and probably most others with similar needs to mine general need without a non-standardized update file that requires human intervention.

Thanks for the suggestion.