#211534 - 2016-05-25 04:24 PM
checking installed patches
|
BradV
Seasoned Scripter
Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
|
Five years ago, I was working on a function to check for installed patches: GetAllPatches I was recently made the administrator of 6 Windows servers. Five are Windows 2003 R2, 32 bit and the last one is a Windows 2008, 64 bit. No one has patched these for years. The developers are afraid because they think patching will break their application. I have a large list of mandatory patches I am trying to check for. From two of the 2003 servers, I just don't get any results. From the 2008 server, I get that it does not seem to be running automatic updates, but I think it is. At least the group policy shows that it is. I create an ini file with the server names: [computers]
comp1=server1
comp2=server2 and another ini file with the required patches: [patch]
patch1=KB2655992
patch2=KB2691442 and then called my function with:
Break On
Dim $SO
;
$SO = SetOpt('Explicit', 'On')
$SO = SetOpt('NoMacrosInStrings', 'On')
;
DIM $strWks, $strFile, $arrPatches[5,0], $intI
DIM $strComps, $strPatch, $colComps, $objComp, $colPatchs, $objPatch, $strPatchID
DIM $intErr, $binStatus
;
include "functions.kix"
;
$strFile = "c:\temp\patch_compliance.ini"
$strComps = "c:\temp\computers.ini"
$strPatch = "c:\temp\patch.ini"
;
$colComps = Split(ReadProfileString($strComps,"computers",""),chr(10))
$colPatch = Split(ReadProfileString($strPatch,"patch",""),chr(10))
;
; If the patch report file exists, delete it to get a fresh copy.
;
If Exist($strFile)
Del $strFile
? "Deleted the old patch report file."
EndIf
;
For Each $objComp in $colComps
If $objComp <> ""
$strWks - ReadProfileString($strComps,"computers",$objComp)
? "Checking patches on: " + $strWks
; First check to see if the automatic update service is running.
If CheckAutoUpdate($strWks) = 0
$arrPatches = GetAllPatches($strWks)
If Ubound($arrPatches,2) > 0
; Check each patch we are interested in against the list of returned patches.
For Each $objPatch in $colPatchs
If $objPatch <> ""
$strPatchID = ReadProfileString($strPatch,"patch",$objPatch)
? "Checking for patch, " + $strPatchID
$binStatus = 0
For $intI = 1 to Ubound($arrPatches,2)
If Instr($arrPatches[0,$intI],$strPatchID)
$intErr = WriteProfileString($strFile,$strPatchID,$strWks,$arrPatches[4,$intI])
$binStatus = 1
Else
$intErr = WriteProfileString($strFile,$strPatchID,$strWks,"could not find this patch")
EndIf
Next
If $binStatus = 0
$intErr = WriteProfileString($strFile,$strPatchID,$strWks,"Not Installed")
EndIf
EndIf
Next
Else
? "Did not receive results from " + $strWks
$intErr = WriteProfileString($strFile,$strPatchID,$strWks,"Could not read from this system")
EndIf
? "-----------------------------------------------"
Else
? "Automatic updates does not seem to be running on " + $strWks
EndIf
EndIf
Next
Three servers work fine. Two others, I just don't get any results. For the Windows 2008 server, it says it is not running automatic updates. I thought it might be a problem trying to query a remote server, but I get the same results if I run it on the problem server. Any suggestions?
|
Top
|
|
|
|
#211535 - 2016-05-25 04:50 PM
Re: checking installed patches
[Re: BradV]
|
ShaneEP
MM club member
Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
|
There is a typo in this line$strWks - ReadProfileString($strComps,"computers",$objComp) should be$strWks = ReadProfileString($strComps,"computers",$objComp) But that's probably not the issue if it works on three of them.
Edited by ShaneEP (2016-05-25 04:51 PM)
|
Top
|
|
|
|
#211536 - 2016-05-25 04:56 PM
Re: checking installed patches
[Re: ShaneEP]
|
ShaneEP
MM club member
Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
|
Also remember that arrays are 0 based, so thisIf Ubound($arrPatches,2) > 0 Should probably be If Ubound($arrPatches,2) >= 0 In case there is only 1 in the list.
Same goes for this For $intI = 1 to Ubound($arrPatches,2) should probably be For $intI = 0 to Ubound($arrPatches,2) Otherwise you will miss the first in the list, unless your getallpatches is padding the first element or something weird.
|
Top
|
|
|
|
#211537 - 2016-05-25 05:08 PM
Re: checking installed patches
[Re: ShaneEP]
|
BradV
Seasoned Scripter
Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
|
Hi Shane,
I have to retype. So, typos are quite probable.
The patch array 0 element has the titles. So, I'm not ignoring it, just use it to store the title (which I set even if nothing is found). So, the upper bound needs to be greater than 0. You are correct in that the GetAllPatches is padding the first element with something weird!
|
Top
|
|
|
|
#211545 - 2016-05-26 04:15 PM
Re: checking installed patches
[Re: Lonkero]
|
BradV
Seasoned Scripter
Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
|
I didn't have a choice and I told them I was going to get rid of them as soon as I could. Most of those servers are virtual servers under vmware on old hardware with no current maintenance contract. I have limited vmware experience. My plan is as soon as I can get them patched and re-accredited by corporate, is to move them to corporately supported OpenStack Windows 2012 servers.
So, I need to figure out the patching state on the three servers that aren't working. I guess I'll have to add some more debugging messages and see if I can figure out what is going on.
|
Top
|
|
|
|
#211548 - 2016-05-26 05:48 PM
Re: checking installed patches
[Re: Glenn Barnas]
|
BradV
Seasoned Scripter
Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
|
I did something similar. Created a small function that tests if $DEBUG is true and then prints out the comments. So, that is getting me some more details, but nothing jumping out as a problem, except for some reason, when I run the $objSC.Run, I always get back "invalid number of parameters" even if it works. I'm trying to test if auto updates is enabled. I found some vbscript that starts with:Set objAutoUpdate = CreateObject("Microsoft.Update.AutoUpdate")
Set objSettings = objAutoUpdate.Settings I'm not really sure how to put that in kix. Any suggestions?
|
Top
|
|
|
|
#211549 - 2016-05-26 06:43 PM
Re: checking installed patches
[Re: BradV]
|
ShaneEP
MM club member
Registered: 2002-11-29
Posts: 2125
Loc: Tulsa, OK
|
I found a script similar to this on the following link. Maybe it could help? It seems to detect my level correctly, but I don't have rights to change the settings to verify it works for all levels.
$objAutoUpdate = CreateObject("Microsoft.Update.AutoUpdate")
$objSettings = $objAutoUpdate.Settings
$UpdateLevel = $objSettings.NotificationLevel
Select
Case $UpdateLevel=0
? "Automatic Updates is not configured by the user or by a Group Policy administrator."
Case $UpdateLevel=1
? "Never check for updates(not recommended)."
Case $UpdateLevel=2
? "Automatic Updates prompts users to approve updates before downloading or installing."
Case $UpdateLevel=3
? "Install updates automatically(recommended)."
Case $UpdateLevel=4
? "Download updates but let me choose whether to install them."
Case 1
? "Notification level could not be determined."
EndSelect
get $ https://www.zabbix.com/forum/archive/index.php/t-48968.html
|
Top
|
|
|
|
#211551 - 2016-05-26 07:34 PM
Re: checking installed patches
[Re: ShaneEP]
|
BradV
Seasoned Scripter
Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
|
That is the exact script I was trying to translate to kix.
|
Top
|
|
|
|
#211553 - 2016-05-27 09:49 PM
Re: checking installed patches
[Re: Lonkero]
|
BradV
Seasoned Scripter
Registered: 2006-08-16
Posts: 686
Loc: Maryland, USA
|
I have six servers to check and 5 years of patches on each. The script works on three, but not the other three for some unknown reason. When I get back to work next Tuesday, I'll keep putting in more debugging messages and see if I can't figure it out.
|
Top
|
|
|
|
Moderator: Glenn Barnas, NTDOC, Arend_, Jochen, Radimus, Allen, ShaneEP, Ruud van Velsen, Mart
|
0 registered
and 569 anonymous users online.
|
|
|