How do I know if I’m missing MS Patches?

By Jesse Hamrick • May 11th, 2009

During the Conficker storm I had released a script that would check for the installation of Hot Fix KB958644, which was to assists is thwarting off the worm. Many of you sent in messages asking if there is a way, with PowerShell, to detect which MS Patches are NOT installed on a machine. The answer is No! … but I’ll still show you how to get the information.

What makes scripting this a difficult task is that amount of variables that are present or not present:

  1. Different Operating Systems
  2. Service Pack Levels
  3. Not knowing what patches are available for each circumstance
  4. The list can go on…

Is PowerShell really the best tool for the job? Again my answer is no or not until someone builds a cmdlet that can do the job (it will happen). So, what is the best tool for the Job! Windows Update, SUS, MBSA, …? In my opinion it’s MBSA(Microsoft Baseline Security Analyzer).

The command line will give me all the information I need with regards to missing patches on workstations and servers. This simple command looks like this:

mbsacli.exe /Target Domain\Computer

‘Quick and dirty’ and you have all the security information. If you want only the update information without all the other security information, you would modify the command as such:

mbsacli.exe /Target Domain\Computer /n OS+SQL+IIS+Password

With the /n options you are telling MBSA NOT to gather OS, SQL, IIS, and Password security settings, the only thing left to gather is “Updates” which is what we want. Check out mbsacli /? for more help.

So what would PowerShell be used for? I use PowerShell to organize the data and to show you how to call .exe’s from a PowerShell Script. The code below gathers the Update information using MBSA, outputs the results to a temp file. PowerShell reads the temp file and strips out all the entries that match the term “missing” and places each entry into an Excel spreadsheet. Not rocket-surgery but you end up with a clean report.

To run the code below make sure your computer has Excel and MBSA installed. Also, MBSA synchronizes with Microsoft Update, so it can take a little time to find which updates are missing from the machine.  Be patient the results are worth it!

# This script requires Excel and MBSA installed on your computer.

$strComputer = Read-Host “Enter Computer Name”
$strDomain = Read-Host “Enter the Domain Name”

# Default Install Path for MBSA 2.1. If your install path is
# differen’t, change line below.
$Path = “C:\Program Files\Microsoft Baseline Security Analyzer 2″

# Create new com object Excel
$Excel = New-Object -Com Excel.Application
$Excel.visible = $True
$Excel = $Excel.Workbooks.Add()

# Assign each worksheet to a variable and
# name the worksheet.
$Sheet1 = $Excel.Worksheets.Item(1)
$Sheet1.Name = “Patches”

#Create Heading for Anti-Virus Sheet
$Sheet1.Cells.Item(1,1) = “Computer Name”
$Sheet1.Cells.Item(1,2) = “Patch Information”

$intRow = 2
$WorkBook = $sheet1.UsedRange
$WorkBook.Interior.ColorIndex = 20
$WorkBook.Font.ColorIndex = 11
$WorkBook.Font.Bold = $True

Set-Location $Path
$cmd = “cmd /c mbsacli.exe /Target $strDomain\$strComputer /n OS+SQL+IIS+Password >C:\MBSA$strComputer.txt”
Invoke-Expression $cmd

$logResults = (Get-Content “C:\MBSA$strComputer.txt”) -match “Missing”
foreach($Item in $logResults){
$Sheet1.Cells.Item($intRow, 1) = $strComputer
$Sheet1.Cells.Item($intRow, 2) = $Item
$intRow = $intRow + 1
}

#Auto Fit all sheets in the Workbook
#$WorkBook = $colorItem.UsedRange
$WorkBook.EntireColumn.AutoFit()
clear

#delete Temp File
Remove-Item “C:\MBSA$strComputer.txt”

There is one formating issues with the code above, the line:
$cmd = “cmd /c mbsacli.exe /Target $strDomain\$strComputer /n OS+SQL+IIS+Password >C:\MBSA$strComputer.txt”
Should be one continuous line, if you just copy the code into Notepad the formatting will be correct.

Also, notice in the line I am using cmd /c mbsacli.exe to run a Windows Command Prompt as a child of the PowerShell comand prompt. I do this regularly when I need to run command line utililities from a PowerShell script. To get more information on how to run a Windows Command Prompt from within a PowerShell session just type cmd /? at the PowerShell command prompt.

Happy scripting…

Email This Post To A Friend Email This Post To A Friend
Comments(5) PowerShell Scripting

Comments

By Tim Walsh on August 1st, 2009 at 10:25 pm

Great stuff!

I have a question – I understand PowerShell V2.0 can remotely execute commands, but in PowerShell V1.0 -

would invoke-expression work?

also, can you use Amphersand – the call operator like
& “C:\tools\mbsacli.exe”

I know other blogs have talked about using PSExec

By Arsalan on December 22nd, 2009 at 11:37 pm

How would this work if I already have the reports from MBSA ?

By Mudasar on March 14th, 2012 at 4:32 am

great stuff
o2sp.com

By Johnny on August 20th, 2012 at 3:38 pm

I run the script but get an Excel entry in the cell after the computer name of false. Nothing else. so I ran only the command line example and after a while it returned the information. Am I missing something?

By Sven on October 12th, 2012 at 6:04 am

Great script!
One question, any way to change it so that I can add more than one computer, all in the same Domain of course, and have each computer listed in a different sheet of the Workbook/Book?

Sven

 

Leave a Comment

« | Home | »