Frequently asked questions about the Microsoft Network Security Hotfix Checker (HFNetChk) functionality that is integrated into the Microsoft Baseline Security Analyzer (MBSA) (305385)

MORE INFORMATION

Frequently Asked Questions

General

Q: How can I find the syntax for the mbsacli -hf command?
A: At a command prompt, type mbsacli -hf /?. Then, press ENTER to view the syntax. The syntax is also described in the "HFNetChk-style Scans" section in the following Microsoft Knowledge Base article: Q: Do I have to be an administrator to run MBSA?
A: Yes. You also must have administrative credentials on any remote computers that you want to scan.

Q: What permissions do I need to run MBSA against remote computers?
A: You must have administrative credentials on every computer that you scan.

Q: I have already installed a particular software update. Why does MBSA display a message that this software update is not installed?
A: If MBSA identifies the software update as "Not Found", either the corresponding software update registry key is not present, or the files in the software update are not found on the computer. To view the reason why MBSA identifies the software update as not found, run mbsacli -hf by using the -v switch. Also, run the command by using the -z switch. For example, type mbsacli -hf -v -z. Examine the results for the software update that is not found. Then, view the Error Messages section in this article for more information.

Q: Why are there two entries for some bulletins?
A: Some security bulletins have more than one software update. For example, MS01-015 references two Internet Explorer software updates that should be installed: one for the Telnet issue and one for the file cache issue. The two software updates are marked with two Microsoft Knowledge Base article numbers in the MBSA output.

Q: I am running Microsoft Windows 2000 without any service packs installed and Microsoft Internet Information Services (IIS) 5.0. Why do some software updates not appear in the list of software updates that I have to install?
A: Some software updates can be installed only on computers that are running Windows 2000 with Service Pack 3 (SP3) or Service Pack 4 (SP4). These software updates are not available for Windows 2000 with no service packs installed. The software updates are not displayed unless the computer has Windows 2000 SP3 or Windows 2000 SP4 installed. To make sure that the computer is up to date, install the most recent service pack. Then, run the mbsacli -hf command. When you do this, all the software updates that are required for the computer appear.

Q: Why does MBSA not display all the software updates that are available for a product?
A: The default output of the mbsacli -hf command displays only critical, numbered Microsoft Security Response Center (MSRC) software updates for the operating system and service pack. The default output takes into account earlier software updates that are superseded by later software updates. Use the -history 2 switch to display all the missing software updates. The list of software updates includes those that are superseded by later software updates.

For example, the software update for MS01-044 supersedes many earlier IIS software updates. Therefore, if the computer has the most recent service pack installed, you need only install MS01-044 and the other IIS hotfixes that are listed in the default output for the computer to be up to date.

Q: Why does MBSA not display missing software updates for other products, such as Microsoft ISA Server and Microsoft Office?
A: Support for certain products is not included in MBSA 1.2.1. However, support for these products may be included in future releases of MBSA. The following Microsoft Knowledge Base article lists the products that are supported by MBSA:

Q: Does MBSA validate the existence of software updates by checking only registry keys?
A: MBSA examines several values before MBSA reports on the status of a software update. MBSA first examines the registry key that is associated with the software update. MBSA then examines the version and checksum of every file in the software update. MBSA also looks for any registry keys that are required by the software update. If all these values match, MBSA identifies the software update as installed. If any one of these tests do not work, MBSA either identifies the software update as not installed or flags the software update as a warning, depending on the results of the check.

Q: Can I disable registry checks and perform only file checks?
A: To instruct MBSA not to perform the registry checks, use the -z switch. MBSA continues to perform file checks.

Q: I installed several software updates at the same time or as part of a slipstream bundle of software updates, and MBSA reports that a required registry key is not found. What should I do?
A: MBSA checks for certain files and registry keys. If the registry keys are not present, MBSA cannot identify a software update as installed, regardless of how you installed the software update.

Q: Can MBSA read a list of computers or IP addresses to scan?
A: Yes. To have MBSA read a list of computer names, use the -fh switch. To have MBSA read a list of IP addresses to scan, use the -fip switch. You may include up to 256 computer names or IP addresses in the list. Every name or address must be on a separate line. For more information about this feature, view the "HFNetChk-style Scans" section in the following Microsoft Knowledge Base article: Q: Is there a switch that lets MBSA accept a user name and password for a remote computer or a domain?
A: Yes. The -u switch accepts a user name. The -p switch accepts a password. The name or password is presented for authentication to the remote computer.

Q: HFNetChk for IIS 5.0 included an option to send alerts to the event log. Why can MBSA not do this?
A: This feature may be considered for a future release.

Q: How can I request features that I want in future releases?
A: You can submit feature requests to the MBSA newsgroup (microsoft.public.security.baseline_analyzer) on the news.microsoft.com news server.

Q: How does MBSA determine whether a software update is installed?
A: MBSA 1.2.1 examines file versions and checksums to make sure that the files that are present on the target machine are the same files that Microsoft released. This technology is different from the technology that Windows Update uses. This technology was licensed from Shavlik Technologies. For more information about Shavlik Technologies, visit the following Shavlik Technologies Web site:Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.


Q: What services must be running on a remote computer when I use MBSA to scan the computer?
A: MBSA requires NetBIOS access to the Server service and to the Workstation service on the remote computer. If the remote computer is running Microsoft Windows 2000 or a later version of Windows, MBSA also requires NetBIOS access to the Remote Registry service. The Server service is installed when you enable the File and Print Sharing option on the computer.

Q: Can I schedule this scan to run on servers in my environment?
A: Yes. You may create a batch file that regularly runs MBSA against your servers. A sample batch file may look similar to the following:Note You can save this sample batch file in a file that is named Hf.bat and modify the file to suit your needs.

Q: How frequently should I run the mbsacli -hf command?
A: We recommend that you schedule the command to run daily or weekly. This scheduling makes sure that you are automatically alerted about new software updates as Microsoft releases the updates.

Q: Does MBSA automatically download missing software updates?
A: No. MBSA is an assessment utility only.

Q: What information is sent to Microsoft when I run MBSA or the mbsacli -hf command?
A: No information is sent to Microsoft.

Q: Where can I obtain software updates?
A: You can obtain software updates by visiting their Microsoft Security Bulletins on the following Microsoft TechNet Web site:Every bulletin has a Patch Availability section that contains a link to the bulletin's specific software update.

Q: In what order should I apply the software updates?
A: Windows 2000 software updates do not have to be applied in any particular order. Microsoft Windows NT 4.0 software updates also do not have to be installed in any particular order if you restart the computer after you install every update. For more information about how to install multiple patches with only one restart, click the following article number to view the article in the Microsoft Knowledge Base: Q: Where can I find usage examples?
A: To view examples of how to use the mbsacli -hf command, type mbsacli -hf /? at a command prompt, and then press ENTER. You can also view examples by viewing the "HFNetChk-style Scans" section in the following Microsoft Knowledge Base article:Q: Does MBSA report on missing service packs?
A: Yes. MBSA displays a warning message if the computer is not running the latest service pack for the specified program.

Q: Does MBSA work on computers that are running Microsoft Windows 98 or Microsoft Windows Millennium Edition?
A: No. MBSA runs only on computers that are running Windows NT 4.0 or a later version of Windows.

Q: Windows Update says that the software updates that I have installed are up to date. Why does MBSA display that there are more software updates that I have to install?
A: Windows Update maintains software update information only for software updates that are not specific to servers. Typically, software updates that are specific to servers are not available by using Windows Update. However, IIS software updates are available by visiting Windows Update.

Q: Can I put the mbsacli -hf command in a logon script?
A: Yes, you can run the mbsacli -hf command during a logon script process.

For more information about MBSA, visit the following Microsoft Web site:

back to the top

XML File

Q: Where can I obtain the XML file?
A: The XML file (Mssecure.xml) is automatically downloaded from the Web to the computer when you run MBSA without the -x switch. This file is extracted from a compressed CAB file (MSSecure.cab). Then, the file is move to the same folder as the file from which MBSA is run. Typically, this folder contains the MBSA.exe file.

To download the XML file, visit the following Microsoft Web site:For a complete list of links for the localized versions of the file, visit the following Microsoft Web site, and view the answer to the "How can I download the files necessary to run a scan if my proxy server requires authentication?" question.Q: How can I verify that I receive a valid copy of the XML file?
A: The XML file is compressed in a .cab file that Microsoft digitally signs. MBSA does not decompress the .cab file unless the file is signed by Microsoft Corporation. If the file is not signed by Microsoft Corporation, no XML is loaded. In this situation, a warning message is displayed.

Q: How can I obtain an updated version of the XML file?
A: Every time that you run MBSA, MBSA tries to automatically download the latest copy of the XML file. This procedure makes sure that the scan is performed by using the latest software update information.

Q: How do I know that I am using the most recent version of the XML file?
A: When you run MBSA or the mbsacli -hf command, the utility displays the date and version number for the XML file that MBSA uses. For example, the utility displays the following:Q: How frequently is the XML file updated?
A: The XML file is updated whenever a new software update is released or updated. The file may be updated to add more data that supports the release of a new service pack. The file may also be updated to correct any errors that may have been identified in an earlier version. Every time that the file is updated, the version number and the date fields are also updated.

Q: Can I put the XML file on my own server and direct my computers to use this file instead of the file on the Microsoft site?
A: Yes. You can host the XML file on an internal Web server or on a central file share.

Important To make sure that the XML file provides the latest software update information, you must frequently update the XML file by visiting the download location that was mentioned earlier.

To use the XML file from a location that is different from the MBSA installation location, use the -x switch with the mbsacli -hf command. For example, use a command that is similar to one of the following:

• mbsacli -hf -v -z -x C:\temp\detect\hotfixfile.xml

• mbsacli -hf -v -z -x s:\security\hotfixfile.xml

Note In these examples, a copy of Hotfixfile.xml is located in C:\temp\detect, and Hotfixfile.xml is the name of the Mssecure.xml file that has been extracted from the .cab file.

Q: How can I modify the XML file?
A: You can use any XML editor to modify the XML file. However, personal customizations are not supported. These customizations will be overwritten the next time that the XML file is released. Typical operation of MBSA does not require that you modify the XML file.

back to the top

Error Messages

Q: What is the difference between "Patch NOT Found" critical warning messages and note messages?
A: A "Patch NOT Found" message means that at least one of the values that MBSA searched for does not match what is expected for the corresponding software update. You can display the value that does not match by using the -v switch or the -v -z switch. For example, suppose you enter the following command:You may receive non-critical warning messages when you are not running the latest service pack. You may also receive these messages when the files on the computer are later than the files that are included in a software update.

Note messages may be displayed when MBSA cannot determine the state of a software update because MBSA does not support the product. To view a list of products that MBSA supports, visit the following Microsoft Knowledge Base article:When you receive a note message, determine whether the software update is applied by following the recommendations in the associated MSRC bulletin.

Q: Can warning and note messages be suppressed?
A: Yes. To prevent note messages from appearing, use the -s 1 switch. To prevent both note and warning messages from appearing, use the -s 2 switch.

Q: What does it mean when MBSA displays a message that the checksum is invalid, and the file version is equal to or less than what is expected?
A: To determine that the correct version of the file is installed, MBSA examines the checksum and the version of the file on the computer. Then, MBSA compares the checksum and the version with the checksum and the version that is listed in the XML database. If you receive an invalid checksum warning message, the file on the computer is not the same version that the software update provides. This situation may occur when a valid Microsoft file was installed with another software update. The file may be acceptable if the file version is the version that MBSA requires to identify the software update as installed.

Q: Why does MBSA display an "Unable to read XML file" error message?
A: You receive this error message when the computer cannot download the XML file. When this problem occurs, follow these steps:

1. Try to download the file by visiting the following Microsoft Web site:

   http://go.microsoft.com/fwlink/?LinkId=18922

2. Decompress the .cab file, and then move the Mssecure.xml file to the same folder as MBSA.
3. At a command prompt, type the following command, and then press ENTER:

   mbsacli -hf -x mssecure.xml

4. If MBSA still cannot read the file, try to open the XML file in your browser. If the file is valid, you can view the data in your browser. If the file is not valid, the browser generates an error message.

back to the top

Output

Q: Where can I view the output of the mbsacli -hf command?
A: The output of the mbsacli -hf scan appears in a Command Prompt window.

Q: How can I redirect the output to a file?
A: To redirect the output to a file, use the -f switch. For example, type this command: Q: What is the number to the right of the bulletin title in the output?
A: This number is the number of the Microsoft Knowledge Base article that contains information about the security issue and the related software update.

Q: How can I find the related Microsoft Knowledge Base article?
A: Visit the following Microsoft Web site, type the article number in the Search the Knowledge Base box, and then click Go: Q: What does this article number mean? Why are more article numbers not listed for every bulletin?
A: The article number that appears after every bulletin is the number of the software update that is associated with the bulletin. Although multiple article numbers may be associated with a security bulletin, the article number that MBSA displays is the number that is recorded in Add/Remove Programs for the software update. The number is also the number that tools such as hotfix -L and Qfecheck return.

Q: Does MBSA generate error codes?
A: MBSA generates error messages for events. However, MBSA does not generate specific error codes. This functionality may be considered for a future version of MBSA.

Q: Can I prevent MBSA from reporting missing software updates that I do not want to see?
A: MBSA reports all missing MSRC software updates for every machine that MBSA scans. The only way to limit MBSA to specific software updates is to use a Microsoft Software Update Services (SUS) 1.0 server. When an SUS 1.0 server is present, you can instruct the mbsacli -hf command to use the SUS-based ApprovedItems.txt file. This configuration limits software update detection and reporting based on only the software updates that are approved by the SUS administrator. To use this option, use the -sus switch. For example, type the following command:Q: Does the mbsacli -hf command provide delimited output so that I can import the result into a spreadsheet?
A: You can instruct the mbsacli -hf command to provide tab-delimited output by using the -o tab switch. Delimited output works best when the results are redirected to a text file. To use this switch, type a command that is similar to the following: Q: Is a graphical user interface (GUI) available for the mbsacli -hf command?
A: To download a GUI version at no charge, visit the following Microsoft Web site:

back to the top

More Support and Feedback

Q: Where can I send feedback, comments, or questions about MBSA?
A: Support for MBSA is available in the Microsoft public microsoft.public.security.baseline_analyzer newsgroup. To access this newsgroup, you can use the Microsoft news server, news.microsoft.com.

Q: I have installed the software update, but MBSA displays a message that the update is not installed. Who can I talk to?
A: Before you report this issue, run the mbsacli -hf command by using the -v switch to determine the cause of the warning.

If this does not provide information that helps you resolve the issue, post a report to the MBSA newsgroup. If the problem is related to software update installation, contact Microsoft Product Support Services.

Q: Who can I contact a software update that is recommended by MBSA appears to cause problems on my computer?
A: Contact Microsoft Product Support Services.

Q: How can I contact Microsoft Product Support Services?
A: For a complete list of Microsoft Product Support Services phone numbers and information about support costs, view the following Microsoft Web site: When you contact Microsoft Product Support Services with a software update issue, inform them that you are having issues with a software update.

Q: How much does a call to Microsoft Product Support Services cost?
A: There is no charge for support calls that are associated with software updates.

Q: Who developed the HFNetChk functionality?
A: The HFNetChk functionality that is integrated into MBSA 1.2.1 was developed for Microsoft by Shavlik Technologies LLC. Shavlik Technologies LLC is a Microsoft Gold Certified Partner. More information about Shavlik is available on the http://www.shavlik.com/about.aspx Web site. To contact Shavlik, send a message to info@shavlik.com.

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Q: How can I know when a new version of MBSA is available?
A: MBSA indicates when a new version is available. MBSA checks its internal version number against the version number that is stored in the XML file every time that MBSA runs. If the XML file lists a later version, MBSA displays a message at the top of the output that recommends that you obtain the latest version of MBSA from Microsoft.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.