ahab Posted March 7, 2005 Posted March 7, 2005 OK... so at work we've got a lot of computers, and not a lot of bandwidth. I've been doing various forms of this, but this is the first time that I've felt that it is publicly distributable. This is meant to be carried around on a CD and to be used on any Windows XP machine with SP2 installed.What it does: Creates a system restore point. Turns off system restore to prevent each update from doing it individually. Checks if the updates are installed (checks for log files or an install folder) skips the update if it is installed and installs the update if it is lacking. Then it turns system restore back on.First off we've got the main batch file. Call this whatever you want, it just has to end in .bat@ECHO offGOTO START@author ahab@version 4/15/5:STARTSET /A NUMOFUPDATES=0ECHO Creating a System Restore pointcreaterestorepoint.vbsNET STOP srserviceECHO .NET FrameworkREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFRAMEWORK" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... dotnetfx /q:a /c:"install /q" SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB867460 .NET Framework 1.1 Service Pack 1REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\.NETFramework\1.1\S867460" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... NDP1.1sp1-KB867460-X86.exe /q SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB886903 ASP.NET path validation vulnerability in Microsoft .NETECHO Framework 1.1 Service Pack 1REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\.NETFramework\1.1\M886903" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... NDP1.1sp1-KB886903-X86.exe /q SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB890830-V1.3 Microsoft Windows Malicious Software Removal Tool V1.3REG QUERY "HKLM\SOFTWARE\Microsoft\RemovalTools\MRT" /v "Version" | FIND "D89EBFD1-262C-4990-9927-5185FED1F261" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... Windows-KB890830-V1.3-ENU.exe /q SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB873333 Vulnerability in OLE and COM could allow remote code executionREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB873333" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB873333-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB873339 Vulnerability in HyperTerminal could allow code executionREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB873339" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB873339-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB873374 Microsoft GDI+ Detection ToolREM The following will just make it seem like it has been runREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\GdiDetectionTool" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... REG ADD "HKLM\SOFTWARE\Microsoft\GdiDetectionTool" /v "GDITool" /t REG_DWORD /d "00000001" /f > nul 2>&1 SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB885250 Vulnerability in server message block couldECHO allow remote code executionREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885250" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB885250-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB885835 Vulnerabilities in Windows Kernel and LSASS could allowECHO elevation of privilegeREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885835" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB885835-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB885836 A vulnerability in WordPad could allow code executionREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885836" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB885836-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB886185 Critical Update for Windows XPREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB886185" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB886185-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB887472 Security update to Microsoft Windows MessengerREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB887472" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB887472-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB887742 Security update to Microsoft Windows MessengerREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB887742" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB887742-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB887797 Cumulative Update for Outlook Express for Windows XPREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB887797" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB887797-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB888113 Vulnerability in hyperlink object library could allow remote codeECHO executionREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB888113" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB888113-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB888302 Vulnerability in Windows could allow information disclosureREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB888302" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB888302-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB890175 Vulnerability in HTML Help could allow code executionREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB890175" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB890175-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB890859 Security Update for Windows XPREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB890859" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB890859-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB890923 Cumulative Security Update for Internet Explorer REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB890923" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB890923-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB891781 Vulnerability in the DHTML editing component ActiveX control couldECHO allow code executionREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB891781" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB891781-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB893066 Security Update for Windows XPREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB893066" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB893066-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB893086 Security Update for Windows XPREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB893086" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsXP-KB893086-x86-enu.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)ECHO KB893803 Microsoft Windows Installer 3.1REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB893803" > nul 2>&1IF %ERRORLEVEL% EQU 0 ( ECHO is already installed) ELSE ( ECHO Installing... WindowsInstaller-KB893803-x86.exe /quiet /norestart SET /A NUMOFUPDATES+=1 ECHO Installation complete.)NET START srserviceECHO The updater script has completed. %NUMOFUPDATES% installed.IF %NUMOFUPDATES% GTR 0 ECHO A reboot is reccomended.PAUSEYou probably noticed createrestorepoint.vbs. Thats a visual basic script that does what it says... the following goes into that file'Unattended System Restore Point'sysrestorepoint.vbs'© Doug Knox - rev 02/11/2002'Downloaded from www.dougknox.com 'Extracted from original code by Bill James - www.billsway.com'Modified even more by ahabSet sr = getobject("winmgmts:\\.\root\default:Systemrestore")If (sr.createrestorepoint("Updater Restore Point", 0, 100)) <> 0 Then MsgBox "Restore Point creation Failed!"End IfA lot of help from HOTFIXES: Win2000 SP4 – WinXP SP1 – WinXP SP2.And here are the links to download all the updates:KB891781KB890830 1.2KB890175KB890047KB888302KB888113KB887797KB887742KB887472 KB886903KB886185KB885836KB885835KB885250KB873374KB873339KB873333 KB867460KB867282.NET Framework Version 1.1For future refrence here are the updates that actually make a restore point: KB891781, KB890175, KB888302, KB888113, KB887797, KB887472 (last known accurate 3/8/5) And the scripts that I have posted above are attached in a .zip file. Just Extract the .zip file and download all the updates to the directory that the scripts are in, run the .bat and you're set.It does not include WMP 10. I know this. I might add that in the future... but not now.Changelog:3/6/5 - Fist major release3/8/5 - Added malicious software removal 1.2, and removed anything that refrenced .net as anything besides the 1.1 install was broken. I'll try and add that later... but its not needed right now. The .NET package included these three:.NET Framework Version 1.1 KB867460 KB886903. I also added a bit in the malicious software detection from this post. I want that to actually run, unlike the GDI+ detection tool. You can change that by just putting REM infront of what you want to don't want to run.3/13/5 See This postComments? Concerns? Sarcastic remarks?Updates.zip
ahab Posted March 9, 2005 Author Posted March 9, 2005 *bump* for a revision in the updates.Anyone know how to do quiet installs of the .NET hotfixes? I know the .NET 1.0 framework takes:dotnetfx.exe /q:a /c:"install /qI've searched for the others and tried /? with no luck.
Takeshi Posted March 10, 2005 Posted March 10, 2005 I'm puzzled by two points.If you create a SR point and then turn off SR, it will delete all the SR points.Also, the reg files edit the HKLM keys and normally this would require a reboot to take effect. Also, wouldn't it be better for the script to check for update entries directly in the registry, rather than the logs, as I delete the logs myself periodically?
ahab Posted March 10, 2005 Author Posted March 10, 2005 I will double check that about system restore in the next few days.I would much rather check the registry, but.... can't do that with the REG command (it can only compare what is actually in the registry) and regedit can only import or export reg keys. I could export a key, then compare it to a file but I'd rather not take that setp. (The Windows registry is not a strongpoint of mine). You might see this page.I *could* check for uninstall information instead.
Takeshi Posted March 10, 2005 Posted March 10, 2005 That website doesn't mention Reg query but it surely exists in Windows XP and seems to do what I have in mind.WSH RegRead also does similar via VBS or JS.If the end-users don't delete the log files (or the Uninstall folders) then your script should do it. I'm just trying to find the best or most professional way to do it.KB890830-V1.2 is now v1.3.After installing the last update, a restart is required.
ahab Posted March 10, 2005 Author Posted March 10, 2005 why not just use SUS or sms?<{POST_SNAPBACK}>with the network situation at work it probably took less time to write this script than to deploy either one of those.
jondercik Posted March 10, 2005 Posted March 10, 2005 True, but those products can insure total network compliance with future patches without having to go computer to computer.
ahab Posted March 10, 2005 Author Posted March 10, 2005 SUS or SMS would be prefered, believe me. Just not a possibility right now WSH RegRead also does similar via VBS or JS.I'm not too keen on getting that deep into windows scripting.If the end-users don't delete the log files (or the Uninstall folders) then your script should do it. I'm just trying to find the best or most professional way to do it.I wouldn't consider this really professional or anything, more or less a tool that I've found works well for what I want to do and figured I'd share. Any ideas for improving it that aren't too hard to code are welcome.KB890830-V1.2 is now v1.3.I'm only finding 1.2 (from March 8th) on MS's website.After installing the last update, a restart is required.Woo... rebooting after all this is done is something that I'd like to implement, but batch has its limitations and can't do that very pretty...I suppose I should addECHO A reboot is strongly reccomended.PAUSETo the end of it.Any other suggestions?
ahab Posted March 10, 2005 Author Posted March 10, 2005 That website doesn't mention Reg query but it surely exists in Windows XP and seems to do what I have in mind.Reg query is in WinXP... hmm... I only looked at the actual output of it, not the errorlevel that it would return, I suppose that would work. I'm thinking have it take the registry key, output it to a file. If the registry key is not there, the errorlevel is 1 and the following can be easily modified to install it@ECHO offREG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB834707" %TEMP%check.regif %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\DOESNOTEXIST" %TEMP%check.regif %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)course at the end of the batch file this check.reg would be deletedI would use REG QUERY except it likes to display a lot of text that makes things ugly.
Takeshi Posted March 10, 2005 Posted March 10, 2005 Yes you're right about KB890830 v1.2.Reg query can be used with %ERRORLEVEL% in a bat script without having to output anything in text (add >nul).
ahab Posted March 11, 2005 Author Posted March 11, 2005 @ECHO OFFREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB834707" > nul 2>&1if %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\DOESNOTEXIST" > nul 2>&1if %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)Just plain > nul would still spit out Error: The system was not able... if it was not able to find the registry key, hence the 2>&1. Seems to be the neatest way to do it. When I was working with REG EXPORT I was wanting to send it to /dev/null but didn't know of the windows equivalent.That'll make things muuuch neater. Thanks Takeshi.
ahab Posted March 14, 2005 Author Posted March 14, 2005 Now counts the number of updates that have been installed and tells you at the end.The .NET framework and all updates are back in. .NET Framework Version 1.1, KB867460, KB886903Updates to note:- KB890830-V1.2 - This version stores its version as "F8327EEF-52AA-439A-9950-CE33CF0D4FDD". The script takes the ouput from REG QUERY and finds the "F832..." string in it. You can skip this update altogether, see this post- I'm still not running the GDI detection tool, it does check to see if the registry value is there though.Before I posted it here I didn't check if the update was already installed. Then I checked for a logfile of its install with "IF EXIST C:\WINDOWS\KB834707.log" Log files aren't always there, so at Takeshi's suggestion I started checking the registry.REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB834707" %TEMP%check.regif %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)Thats not the most elegant, so again at Takeshi's suggestion I moved ontoREG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB834707" > nul 2>&1if %ERRORLEVEL% EQU 0 ( ECHO This one is installed ) ELSE (ECHO This one is not installed)I'd consider that nice & neat code.Originally I turned off the System Restore Service and disabled System Restore in the registry. Didn't need to do both to prevent each update from making their own restore points. "REGEDIT /S sroff.reg" was ran before system restore service was stopped. "REGEDIT /S sron.reg" was ran before the service was started again, but after all the updates. This is sroff.reg:Windows Registry Editor Version 5.00;disable system restore[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]"DisableSR"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]"Start"=dword:00000004and this is sron.regWindows Registry Editor Version 5.00;enable system restore[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]"DisableSR"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr]"Start"=dword:00000000If you really want to use these .reg files (I see no reason to) you could modify the script accordingly.Also changed the name of the restore point from "Automatic Restore Point" to "Updater Restore Point". Also, when you turn of the system restore service it does not delete the previous restore points. Good God you should see how many restore points my poor test install has.
Takeshi Posted March 15, 2005 Posted March 15, 2005 I'm still a bit puzzled by this.When you turn off SR service via regedit, it won't do anything until you reboot the computer, because it writes to the HKLM key and this normally requires a reboot to take effect.So when you turn it off and on with regedit in the same session, nothing should have happened.I think you would normally use the net stop and net start command to stop and start services with immediate effect!Coming back to the bat file, you can further simplify it by using HKLM or set it as variable, if you like.
Takeshi Posted March 15, 2005 Posted March 15, 2005 I've just tested your reg files.It does seem to do what you said, but rather strangely, when going to services.msc, it has no effect on the status (i.e. it still says Started and Automatic after applying the sroff.reg)!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now