Integrated Hotfixes, Not Integrated After All ?

[Honnes]

After my first post about how-to (questioning) integrate hotfixes and so on, i managed to integrate files into the core after all.

(prev. post http://www.msfn.org/board/index.php?showtopic=40292&hl= )

Some pré info:

- I disabled Windows File Protection

- I've extracted all of my hotfixes into a folder and replaced them with original I386 files

- I've renamed all the .inf's to kbxxxx.inf and put them into the svcpack folder.

- I've edited DOSNET.INF and created a SVCPACK.INF (and put in the catalog list)

After doing this i burned the whole thing on cd (bootable) and installed everything without encountering any problems....so far..

After checking Windows Update again (windows 2000 ) i saw that there were 16 Essential Hotfixes available. I wrote those KB numbers down and checked them with the hotfixes in my download list. All of those hotfixes, except a few, were in my hotfixes download folder.

Well, this is where my questioning starts..how is it possible that he detects the hotfixes even though i integrated them ?

I thought about some possibilities, listed below:

- .INF or .CAT file is missing (that wasnt the prob)

- The hotfix files are overwritten by even later hotfix files (thinking about SHLWAPI.DLL for instance, IE updates)

ps: do i need all IE (6 SP1) updates or is the latest enough?)

edit: Which INF files are more important, those in the /update/ folder of the hotfix are those in the 'root' folder of the hotfix ?

PS: I know there's a thread http://www.msfn.org/board/index.php?showtopic=32125 with a lot of information and read all reply's, but i still don't get this thing settled.[/edit]

Any help, advice or anything other usefull is much appreciated.

Kind regards,

Honnes

[tommyp]

From my experience, it seems to make windowsupdate happy, all you really need is some key registry entries. In other words, it doesn't really check the presence of the updated dll/exe/etc. Well, that's the case with a majority of the hotfixes anyway. The registry entries are nestled in the inf files for the Type 1 hotfixes. Type 2 and the MDAC hotfix infs need a little digging to get the proper registry entry.

Personally, I prefer using the HFNETCHK program to detect proper installation of the hotfixes because it looks at the dll/exe/etc files for the latest acceptable revisions as opposed to windowsupdate looking for an "is installed" in the registry. Windowsupdate seems to be more of a registry checker than anything else.

I don't think that your svcpack inf file is running your inf files that you extracted from your hotfixes. Without editting the inf files, you will probably get error windows during the last phase of the windows installation process. With proper editting of the inf file you won't get copy errors AND you'll make windowsupdate happy. One thing I found out is that if an INF file isn't correct, it won't make any registry changes at all. Making the proper INF file can be a tedious process though, especially with the Type 2 hotfixes. I have accomplished making all the hotfix INF files once before.

If you have integrated your hotfixes manually without integrating IE6, you will run into difficulties with the shlwapi.dll and some other dlls. Installing IE6 via svcpack or later will add a variety of files, and will replace some of your integrated updated dlls with old ones that are in the IE6 installer. After IE6 is installed, then you have to install the IE6 rollup updates to correct and update the dlls. I prefer to just use my cmd file to integrate IE6 and all the w2k post sp4 updates. Far easier and works like a champ for me.

BTW, What hotfixes are you having trouble with?

Good luck.

[Honnes]

i already have such a batch file like yours, same stuff and i edited it for some customisation.

I have a little extension, i have a so called .TXT in which my hotfixes are listed based on old to new, so old files will get replaced. IE6 is also integrated.

Can you help me on how to get proper information out of the .INF files for both types of hotfixes ? I now am running some test cds, without success, i hope your willing to help me out.

You can contact me via this board or mail me at johannes [ AT ] josy.org (i also have msn )

Many thanks in advance.

[Bilou_Gateux]

Windows Update was intended to be a consumer update site allowing easy

detection and installation of patches made available by Microsoft.

WU checks your registry and see what had been installed based on the presence of registry values:

HKLM\Software\Microsoft\Updates or

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Hotfix

WU simply checks a value stored there called "Installed" to see if its 1. If it is, WU won't show you the patch, it assumes its been installed.

Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool does a file check.

HFNetchk uses a reliable mechanism,

downloads an XML file containing all of the pertinent details of all

patch files (and their contents) and then scans the files actually on

disk to make a comparison. Any discrepancy, for whatever reason, is

reported (or can be reported if verbose mode is enabled).

Microsoft Baseline Security Analyzer (MBSA), free tool from

Microsoft, not only looks for missing patches but also checks various

configuration settings to see if you haven't addressed known insecure

configuration settings. Since it uses HFNetchk for patch checking, it

can be considered the same as HFNetchk with respect to patches.

WU cannot be trusted to display "the most up-to-date and accurate

versions of anything you choose to download from the site".

WU's method of determining successful patch installation can't be trusted either.

The premise upon which WU works is just too simplistic. Although

write access to the registry keys where the information is stored is

restricted to Administrators and SYSTEM, there's no verification that

what it thinks has been done has actually been done. It relies upon

Windows File Protection to ensure that files haven't been altered, but

it can't (and doesn't) reconcile itself. Add keys for as yet unreleased

patches and it will think they're installed, get a corrupt or altered

hive and it will think they're not installed.

So in the end, don't use Windows Update.