Pushing Out Patches Poor Man’s Style!

We all have heard of the Windows WMF vunerability and the need to apply patch KB912919. Maybe you don’t run WSUS or any patch management at all. Yet being the lazy administrators we are, we would rather the computer do all the grunt work instead of us. Having been assigned 80 computers to patch, I was looking for a way to do this remotely rather than run around like a mad man patching systems by hand. In order to do this we need a few things. First, we need a list of the NETBIOS names of the computers involved. No sweat here: I had inventoried all the computers I was responsible for in an Excel spreadsheet. Just save as a plain text file and it’s done. Next, we need the server service turned ON, the Windows firewall turned OFF and file and print sharing INSTALLED and ENABLED on the end workstations. You’ll also need the local administrator password and have the remote machine turned on. I found this batch file on the news group and modified it for my purposes. You can look at the script here. To run it, you must first save the TXT file as a BAT file. Then, pass your administrator password as the second argument like this: patchem FuNkYMonk3Y. Finally, make sure there is a plain ASCII text file named PCLIST.TXT in the same directory that PATCHEM.BAT resides. The format of PCLIST.TXT should look like this.

The batch file is pretty slick. It uses PsExec to remotely execute a file on the remote workstation using administrator credentials. The FOR loop keeps cycling through PCLIST.TXT passing each NETBIOS name to PsExec to try. There is a line that copies the file to the workstation before running it. PsExec -c should now work so you can eltimate the copy line and issue that additional parameter instead (PsExec -c didn’t work and I alerted Russinovich to that fact which he acknowledged and fixed in January 2006).

That was pretty cool…but how do we know what computers got the patch and which ones didn’t? Well, we can re-use the script above with a little tweaking. Take a look at it here. Basically, it looks for presence of a $NtUninstallKB912919$ folder under the Windows folder. If it finds it, we assume the system is patched and move on. However, if it doesn’t find it, it writes that computer name out to RESULTS.TXT. We can, in turn, rename RESULTS.TXT back to PCLIST.TXT and feed PATCHEM.BAT this list until we have exhausted the automated route. The computers that are left will have to be done by hand.

Darn, my seat was just getting warm too!

– Soli Deo Gloria

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.