How to obtain and use the MS04-028 Enterprise Update Scanning Tool in environments that do not use Systems Management Server (886988)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows NT Server 4.0 SP6a
  • Microsoft Windows NT Server, Enterprise Edition 4.0 SP6a
  • Microsoft Windows NT Server 4.0 Terminal Server Edition SP6
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional

SUMMARY

Microsoft has re-released the MS04-028 Enterprise Update Scanning Tool (2006.05.09-v2-EnterpriseScan-x86-EN.exe). IT professionals can use the 2006.05.09-v2-EnterpriseScan-x86-EN.exe tool to scan computers for the required MS04-028 security updates and to apply any missing updates from a local area network (LAN) share. The tool can be run from a startup or logon script or by a user with local administrator rights. The tool is intended for use in environments where Microsoft Systems Management Server (SMS) or any other enterprise management solution is not used for update management. For SMS users, see the following Microsoft Knowledge Base article:

885920 How to obtain and use the MS04-028 Enterprise Update Scanning Tool in environments that use Systems Management Server 2003 and Systems Management Server 2.0

Notes

The MS04-028 Enterprise Update Scanning Tool has been tested on the operating systems that are listed in the Applies To section. See the MS04-028 security bulletin for a list of all affected products and components.

The revised version of the MS04-028 Enterprise Update Scanning Tool includes detection and deployment for Microsoft Visual FoxPro 8.0, as well as updates for Microsoft .NET Framework 1.0 with Service Pack 2 (SP2) and Microsoft .NET Framework 1.1.

The previous release of the MS04-028 Enterprise Update Scanning Tool included only security updatesfor the Microsoft .NET Framework products listed in the "Affected Software" section of the MS04-028 security bulletin. The updated version of this tool only checks for Microsoft .NET Framework 1.0 SP2 and Microsoft .NET Framework 1.1 updates for for each product listed in the "Affected Software" section of the MS04-028 security bulletin when checking for the Microsoft .NET Framework products that need updating. Customers who are using the previous version of this tool and who need security update detection, installation, or both can continue to use the original release of this tool and use the new version of this tool for Microsoft Visual FoxPro 8.0 detection. Microsoft recommends that customers who are using this tool for the first time use only the new version of this tool because it supports Microsoft .NET Framework 1.0 SP2 and Microsoft .NET Framework 1.1 updates.



For more information about Critical Security Update MS04-028, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

The MS04-028 Enterprise Update Scanning Tool will detect and update the MS04-028 security updates for the following products:
  • Microsoft Windows XP, Windows XP Service Pack 1 (SP1)
    Languages: English (United States), French (France), German (Germany), Japanese, Chinese (Taiwan), Chinese (China), Italian (Italy), Spanish (Spain), Korean
  • Microsoft Windows Server 2003
    Languages: English (United States), French (France), German (Germany), Japanese, Chinese (Taiwan), Chinese (China), Italian (Italy), Spanish (Spain), Korean
  • Microsoft Office XP Service Pack 3 (SP3)
    Languages: all supported languages
  • Microsoft Outlook 2002 SP3, Microsoft Word 2002 SP3, Microsoft Excel 2002 SP3, Microsoft PowerPoint 2002 SP3, Microsoft FrontPage 2002 SP3, Microsoft Publisher 2002 SP3, Microsoft Access 2002 SP3
    Languages: all supported languages
  • Microsoft Office 2003
    Languages: all supported languages
  • Office Outlook 2003, Office Word 2003, Office Excel 2003, Office PowerPoint 2003, Office FrontPage 2003, Office Publisher 2003, Office Access 2003, Microsoft Office InfoPath 2003, Microsoft Office OneNote 2003
    Languages: all supported languages
  • Microsoft Project 2002 Service Pack 1 (SP1)
    Languages: all supported languages
  • Microsoft Project 2003
    Languages: all supported languages
  • Microsoft Visio 2002 Service Pack 2 (SP2)
    Languages: all supported languages
  • Microsoft Visio 2003
    Languages: all supported languages
  • Microsoft Visual Basic .NET Standard 2002, Microsoft Visual C# .NET Standard 2002, Microsoft Visual C++ .NET Standard 2002
    Languages: all supported languages
  • Microsoft Visual Studio .NET 2002
    Languages: all supported languages
  • Microsoft Visual Studio .NET 2003
    Languages: all supported languages
  • Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, Visual J# .NET Standard 2003
    Languages: all supported languages
  • Microsoft .NET Framework version 1.0 SDK Service Pack 2 (SP2)
  • Microsoft .NET Framework 1.0 with Service Pack 2 (SP2)
    Languages: English (United States), French (France), German (Germany), Japanese, Chinese (Taiwan), Chinese (China), Italian (Italy), Spanish (Spain), Korean
  • Microsoft .NET Framework 1.1
    Languages: all supported languages
  • Microsoft Picture It! 2002
    Languages: English (United States), French (France), German (Germany), Japanese, Italian (Italy), Spanish (Spain)
  • Microsoft Greetings 2002
    Languages: English (United States), French (France), German (Germany), Japanese, Italian (Italy), Spanish (Spain)
  • Microsoft Picture It! Version 7 and Microsoft Digital Image Pro version 7
    Languages: English (United States), French (France), German (Germany), Japanese, Italian (Italy), Spanish (Spain), Korean
  • Microsoft Picture It! Version 9, Microsoft Digital Image Pro Version 9, Microsoft digital Image Suite Version 9
    Languages: English (United States), French (France), German (Germany), Japanese, Italian (Italy), Spanish (Spain), Korean
  • Microsoft Producer for Microsoft Office PowerPoint
    Languages: English (United States), French (France), German (Germany), Japanese, Chinese (Taiwan), Chinese (China), Italian (Italy), Spanish (Spain), Korean
  • Internet Explorer 6 Service Pack 1 (SP1)
    Languages: English (United States), French (France), German (Germany), Japanese, Chinese (Taiwan), Chinese (China), Italian (Italy), Spanish (Spain), Korean
  • Windows Journal Viewer 1.5
    Languages: Chinese (Taiwan), German (Germany), English (United States), French (France), Japanese, Korean, Chinese (China)
  • Microsoft Visual FoxPro 8.0
    Languages: all supported languages
The MS04-028 Enterprise Update Scanning Tool will not detect or install the MS04-028 security updates for the following products:
  • The Platform SDK Redistributable
  • Microsoft Visual FoxPro 8.0 Runtime Library
The MS04-028 Enterprise Update Scanning Tool will not detect or install the MS04-028 security updates on the following operating systems:
  • Windows 98, Windows 98 SE, and Windows Millennium Edition
  • Windows NT 4.0 Workstation
  • Windows XP, 64-bit Editions
  • Windows Server 2003, 64-bit Editions
  • Windows XP Embedded
back to the top

INTRODUCTION

This article contains step-by-step instructions on how to obtain the MS04-028 Scan and Update Tool and how to use the tool by using a startup script, a logon script, or by running the tool manually. This tool is intended to provide a scanning and deployment solution for the updates that are released with MS04-028 in environments where SMS or any other enterprise management solution is not used for update management. The steps are provided as an example only. You may have to modify the steps according to the requirements and the limitations of your environment.

The MS04-028 Enterprise Update Scanning Tool, version 2, has Microsoft .NET Framework 1.0 SP2 security update detection, Microsoft .NET Framework 1.1 security update detection, and Microsoft Visual FoxPro 8.0 detection .

The following files are available for download from the Microsoft Download Center:

MS04-028 Enterprise Update Scanning Tool, version 2:

DownloadDownload the MS04-028 Enterprise Update Scanning Tool, version 2 package now.

MS04-028 Enterprise Update Scanning Tool, version 1:

DownloadDownload the MS04-028 Enterprise Update Scanning Tool, version 1 package now.


Note The previous release of the MS04-028 Enterprise Update Scanning Tool included only service packs for the Microsoft .NET Framework products listed in the "Affected Software" section of the MS04-028 security bulletin. The updated version of this tool only checks for Microsoft .NET Framework 1.0 SP2 and Microsoft .NET Framework 1.0 updates for for each product listed in the "Affected Software" section of the MS04-028 security bulletin when checking for the Microsoft .NET Framework products that need updating. Customers who are using the previous version of this tool and who need service pack detection, installation, or both can continue to use the original release of this tool and use the new version of this tool for Microsoft Visual FoxPro 8.0 detection. Microsoft recommends that customers who are using this tool for the first time use only the new version of this tool because it supports Microsoft .NET Framework 1.0 SP2 and Microsoft .NET Framework 1.0 updates.
back to the top

MS04-28 Enterprise Update Scanning Tool options

The MS04-28 Enterprise Update Scanning Tool provides the following options.
  • Scanning only: This option scans for missing updates that pertain to MS04-028 and writes the results to log files.
  • Scanning and deployment: This option scans for missing updates that pertain to MS04-028 and also installs the missing updates. This option also writes the results to log files.

Scanning and deployment methods

The MS04-028 Enterprise Update Scanning Tool can be implemented to scan and deploy missing updates for MS04-028 by using any one of the following methods:
  • Computer startup script method
  • User logon script method
  • Manually initiated method by using a local folder or a remote share
back to the top

Computer startup script method

This method enables the scanning tool to run at computer startup. This method will only work in an Active Directory domain environment. Windows NT 4.0 Server-based computers cannot use the computer startup script method. Scanning onlyIf you want to detect missing updates for MS04-028 by using the computer startup script method, follow these steps:
  1. Complete the steps in the Initial setup and configuration section.
  2. Set up a startup script. To do this, follow these steps:
    1. In the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, right-click the domain name, and then click Properties.
    2. Click the Group Policy tab.
    3. Click Default Domain Policy, and then click Edit.
    4. Expand Computer Configuration, expand Windows Settings, and then click Scripts.
    5. Double-click Startup, and then click Add. The Add a Script dialog box appears.
    6. In the Script Name box, type wscript.exe.
    7. In the Script Parameters box, type //B \\ServerName\UpdateStore\UpdateInstall.vbs.
    8. Click OK, and then click Apply.
  3. To perform a scan on a client computer, restart the client computer that is a member of the domain.
  4. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.
Scanning and deploymentIf you want to detect and install missing updates for MS04-028 by using the computer startup script method, follow these steps:
  1. Complete the steps in the Initial setup and configuration section.
  2. Continue with the server setup. To do this, go to the Configure a server for deployment section.
  3. Set up a startup script. To do this, follow these steps:
    1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
    2. Click the Group Policy tab.
    3. Click Default Domain Policy, and then click Edit.
    4. Expand Windows Settings for Computer Configuration, and then click Scripts.
    5. Double-click Startup, and then click Add. The Add a Script dialog box appears.
    6. In the Script Name box, type wscript.exe.
    7. In the Script Parameters box, type //B \\ServerName\UpdateStore\UpdateInstall.vbs /Install.
    8. Click OK, and then click Apply.
  4. To perform a scan and deployment on a client computer, restart the client computer that is a member of the domain.
  5. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.
back to the top

Logon script method

Important Do not use the logon script method on Terminal Server-based computers. Multiple instances of the tool that are running at the same time may produce unpredictable results.Scanning onlyIf you want to detect missing updates for MS04-028 by using the logon script method, follow these steps:

Note The logon user must have Administrative permissions for the script to run successfully.
  1. Complete the steps in the Initial setup and configuration section.
  2. Set up a logon script. To do this, follow these steps:
    1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
    2. Click the Group Policy tab.
    3. Click Default Domain Policy, and then click Edit.
    4. Expand Windows Settings for User Configuration, and then click Scripts.
    5. Double-click Logon, and then click Add. The Add a Script dialog box appears.
    6. In the Script Name box, type wscript.exe.
    7. In the Script Parameters box, type //B \\ServerName\UpdateStore\UpdateInstall.vbs.
    8. Click OK, and then click Apply.
  3. To perform a scan on a client computer, log off the client computer, and then log back on to the client computer with an administrator account to run the script.
  4. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.
Scanning and deploymentIf you want to detect and install missing updates for MS04-028 by using the user logon script method, follow these steps:
  1. Complete the steps in the Initial setup and configuration section.
  2. Continue with the server setup. To do this, go to the Configure a server for deployment section.
  3. Set up a logon script. To do this, follow these steps:
    1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
    2. Click the Group Policy tab.
    3. Click Default Domain Policy, and then click Edit.
    4. Expand Windows Settings for User Configuration, and then click Scripts.
    5. Double-click Logon, and then click Add. The Add a Script dialog box appears.
    6. In the Script Name box, type wscript.exe.
    7. In the Script Parameters box, type //B \\ServerName\UpdateStore\UpdateInstall.vbs /Install.
    8. Click OK, and then click Apply.
  4. To perform a scan and deployment on a client computer, log off the client computer, and then log back on to the client computer with an administrator account to run the script.
  5. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.
back to the top

Manually initiated method

To use the MS04-028 Enterprise Update Scanning Tool, the tool must be run by a user account that is a member of the local Administrators group.From a local folderScanning only
  1. Download the MS04-028 Enterprise Update Scanning tool. The following file is available for download from the Microsoft Download Center:
    DownloadDownload the MS04-028 Enterprise Update Scanning tool, version 2 package now.
  2. Run 2006.05.09-v2-EnterpriseScan-x86-EN.exe, and then install it to a local folder.
  3. To perform a scan on the local computer, run the following command at a command prompt:

    WScript.exe //B Path\UpdateInstall.vbs

  4. To see the results, review the logs in the %windir%\system32\Vpcache\Updatescan folder. For more information, see the Analyze the tool output section.
Scanning and deployment
  1. Download the MS04-028 Enterprise Update Scanning tool. The following file is available for download from the Microsoft Download Center:
    DownloadDownload the MS04-028 Enterprise Update Scanning tool, version 2 package now.
  2. Run 2006.05.09-v2-EnterpriseScan-x86-EN.exe, and then install it to a local folder.
  3. In the local folder where you extracted the MS04-028 Enterprise Update Scanning Tool, create a folder that is named UpdateStore. In the UpdateStore folder, create a folder that is named Updates.
  4. In the Updates folder, create a folder structure to save the updates. Create the folder structure as described in the Configure a server for deployment section. You do not have to create a file share to install updates to a local computer.
  5. To perform a scan and install on the local computer, run the following command at a command prompt:

    wscript //b Path\updateinstall.vbs /store Path\updates /install

From a remote shareScanning only
  1. Complete the steps in the Initial setup and configuration section.
  2. To perform a scan on the local computer, run the following command at a command prompt:

    WScript.exe //B \\ServerName\UpdateStore\UpdateInstall.vbs

  3. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.
Scanning and deployment
  1. Complete the steps in the Initial setup and configuration section.
  2. Continue with the server setup. For more information, go to the Configure a server for deployment section.
  3. To perform a scan and deployment on the local computer, run the following command at a command prompt:

    WScript.exe //B \\ServerName\UpdateStore\UpdateInstall.vbs /Install

  4. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.
back to the top

Initial setup and configuration

  1. Download the MS04-028 Enterprise Update Scanning tool. The following file is available for download from the Microsoft Download Center:
    DownloadDownload the MS04-028 Enterprise Update Scanning tool, version 2 package now.
  2. Configure the server and share. To do this, follow these steps:
    1. Set up a share on a member server, and then name it UpdateStore.
    2. Run 2006.05.09-v2-EnterpriseScan-x86-EN.exe, and install it to the UpdateStore folder.
    3. Configure the following share and NTFS file system (NTFS) permissions:
      • Share permission:
        • Add the domain user account for the user who is managing this share, and then choose Full Control.
        • Remove the Everyone group.
        • If you use the computer startup script method, add the Domain Computers group with Change and Read permissions. If you use the logon script method, add the Authenticated Users group with Change and Read permissions.
      • NTFS permission:
        • Add the domain user account for the user who is managing this share, and then choose Full Control.
        • Remove the Everyone group if it is in the list.

          Note If you receive an error message when you remove the Everyone group, click Advanced on the Security tab, and then click to clear the Allow inheritable permissions from parent to propagate to this object check box.
        • If you use the computer startup script method, grant the Domain Computers group Read and Execute, List Folder Contents, and Read permissions.
        • If you use the logon script method, grant the Authenticated Users group Read and Execute, List Folder Contents, and Read permissions.
    4. Create a folder and name it Results under the UpdateStore folder. This is where the final report files will be written to during the scanning process.
    5. Configure the NTFS permissions on the Results folder. To do this, use the following methods:

      Note Do not change the Share permissions in this step.
      • Add the domain user account for the user who is managing this share, and then choose Full Control.
      • If you use the computer startup script method, give the Domain Computers group Modify, Read and Execute, List Folder Contents, Read, and Write permissions.
      • If you use the logon script method, give the Authenticated Users group Modify, Read and Execute, List Folder Contents, Read, and Write permissions.
    6. Configure the UpdateInstall.ini file as described in this article.
back to the top

Configure the server for deployments

  1. Set up the folder structures that are required by the installer. In the shared folder (UpdateStore) that you created in the Initial setup and configuration section, create the following folder structure:
    - UpdateStore
    \ Result
    - Updates
        - .Net Framework 1.0
            \ 1033
        - .Net Framework 1.1
            \ 0
        + Internet Explorer 6
        - Office
            - 831931
                \ 0
            + 831932
            + 832332
            + 838344
            + 838345
            + 838905
        - PictureIt! or Digital Image v6
            - 1033
        + PictureIt! or Digital Image v7
        + PictureIt! or Digital Image v9
        + Producer for 2003
        + Visual Studio .NET 2002
        + Visual Studio .NET 2003
        + Windows Server 2003
        - Windows XP
            \ 1033


    Microsoft has provided a batch file to automatically create the appropriate folder structure. To use the MakeFolders.cmd batch file, create an empty Updates folder, and then run the batch file with the following syntax:

    MakeFolders.cmd PathLocaleID

    Note Path is the path of the Updates folder, and LocaleID is the locale ID (LCID) for the languages that you want to install. For example:

    MakeFolders.cmd c:\UpdateStore\Updates 1033

    You can run the batch file multiple times in the same Updates folder to create as many locale folders as you must have. You may also use the "." relative path syntax to indicate the current working directory. For example, to create a folder structure for U.S. English updates in the current directory, you would run the following command:

    Makefolders.cmd . 1033

    Note that the batch file uses the Cacls.exe command to set permissions on the folders that it creates. Permissions on all files and folders inside Path will be set to Administrators/Full Control and Everyone/Read.

    Note After running Makefolders.cmd, you must also rename all the Picture It/Digital Image folder names as noted:
    • PictureIt! or Digital Image v6 to Picture It! or Digital Image v6
    • PictureIt! or Digital Image v7 to Picture It! or Digital Image v7
    • PictureIt! or Digital Image v9 to Picture It! or Digital Image v9
  2. The folder structure for the update files is built with the following rules. If you use the batch file to create the folder structure, this process will be automated:
    • The subfolders under the Updates folder are for individual products. The product names must be the same as the product names that are in the Product column in the UpdateList.xls file. The UpdateList.xls file is located in the UpdateStore share. The product list is provided for your reference, but the file itself does not affect the scanning or deployment process in any way. The UpdateList.xls file does not include the Office, Visio, or Project updates.

      If you are creating a folder with a name that starts with a "." (period) character, you must create the folder from the command line. For example, you must type md .Net Framework 1.0. If you receive error message when you create the folder, you may have the command extensions turned off. To turn on the command extensions, type cmd e:on at a command prompt. After you create the folder, you can turn the command extensions off by typing cmd e:off at the command prompt.
    • For Office updates: Create subfolders that are named after the Microsoft Knowledge Base number. For example, for the Project 2002 update, you would use 831931. As soon as you have created the Microsoft Knowledge Base folders, create a subfolder under each Knowledge Base folder, and then name the subfolder 0 (zero). This folder is the folder where you must put the downloaded full-file update for the applicable Office product.
    • For the .NET Framework 1.1, Visual Studio .NET 2002, and Visual Studio .NET 2003: Create a folder for each product. Inside each product folder, create a subfolder that is named 0 (zero).
    • For products other than Office, .NET Framework 1.1, and Visual Studio .NET 2002 and 2003: Name the subfolders with the LCID of the update that you are installing. For example, you must use 1033 for English (United States) updates. For more information about Locale IDs, visit the following Microsoft Web site:

      http://www.microsoft.com/globaldev/reference/lcid-all.mspx

      .
    • Locale ID list
      The following is a list of languages and the corresponding Locale IDs that are supported by various updates that the tool can deploy:
      • 1033 English - United States
      • 1036 French - France
      • 1031 German - Germany
      • 1041 Japanese
      • 1040 Italian - Italy
      • 1034 Spanish - Spain
      • 1042 Korean
      • 1028 Chinese - Taiwan
      • 4100 Chinese - China
  3. Download the updates.

    For updates that pertain to Office, Visio, and, Project, download each applicable full-file update from the links that are provided in the MS04-028 security bulletin. Put the full file updates in their respective folder. For example, for Project 2002 you would put the full-file update in the UpdateStore\Updates\Office\831031\0 folder.

    For non-Office updates, you can find the complete list of downloads that are available for this bulletin in the UpdateList.xls file. This file is located in the UpdateStore share. Put the downloaded executable file (.exe file) in the folder that is named after the LCID under the product folder. For example, for the Windows XP English update, put the executable file in the UpdateStore\Updates\Windows XP\1033 folder.
back to the top

Configure the UpdateInstall.ini file

The behavior of the MS04-028 Enterprise Update Scanning Tool is governed by the UpdateInstall.ini file. You can specify six parameters in this file. All these parameters are located under a [CommandLine] section heading. You can specify the following parameters:
  • Share= \\ServerName\ShareName\Path
    This parameter specifies the location to which the tool will write its log files. For more information, see the Analyze the tool output section. Include the full path of the target folder.
  • Store= \\ServerName\ShareName
    This parameter specifies the location of the product update files. If you use the tool to deploy updates, this is where we recommend that you build the deployment folder structure.

    Note The tool will look for an "Updates" folder in the share. Do not include the "Updates" folder in the path.
  • Norestart= {True|False}
    When this parameter is set to True, the tool will not restart the computer after you install updates, even if one or more of the installed updates requires a restart to complete installation of the update. When this parameter is set to False, if the tool installs one or more product updates that require a restart for installation to complete, the tool will restart the computer to complete the installation of the updates. It is possible, however unlikely, that an update may not always install correctly yet may cause the tool to restart the computer. If this behavior occurs, the computer may continually restart. To correct the issue, set the NoRestart parameter to True. This will let the computer restart ordinarily and let you troubleshoot the problem.

    Note If Microsoft Producer is installed by the tool, a restart of the computer cannot be suppressed. To avoid unwanted restarts on computers that have Producer installed, do not copy the update for Producer to the UpdateStore file share. Instead, manually update computers where Producer is installed.
  • Debug=
    Leave this parameter blank unless instructed otherwise by Microsoft Product Support Services.
  • Authorized=
    This parameter is a list of Office updates that the tool will report as missing if they are not present on the computer. If this parameter is left blank, the tool will report on all Office updates.
  • ScanInterval=
    This parameter determines the number of days that the tool will wait to rescan a computer that it has determined needs no updates. This parameter is valuable for deploying the tool through a logon script or a computer startup script. Instead of running at every logon or startup, the tool will first test whether it determined that no updates were needed on its last run. If no updates were needed, the tool will only perform another scan if more than ScanInterval days have elapsed. In this manner, the tool can provide updates for products that are installed on a computer after the tool has been deployed. However, the tool does not create excessive output logs. The tool stores the date that it last ran and determined the computer needed no updates in the following registry value:

    HKEY_LOCAL_computer\Software\Microsoft\Updates\UpdateScan\LastRun

    The tool only examines the ScanInterval parameter if it has previously determined that all applicable updates were installed on a computer. If one or more updates are missing, the tool will scan and deploy updates, as applicable, on its next run regardless of what the value of the ScanInterval parameter is.

    If you want to perform a scan every time that the tool is run, set this parameter to 0 (zero).

    If you want the tool to install all applicable updates and then never run again, set this parameter to an arbitrarily large number like 9999.

    If you want to rescan a single computer before ScanInterval days have elapsed, delete the HKEY_LOCAL_computer\Software\Microsoft\Updates\UpdateScan\LastRun registry value before you rescan the computer. If you want to rescan all the computers that are in your environment, set this parameter to 0 (zero).
back to the top

Analyze the tool output

The MS04-028 Enterprise Update Scanning Tool produces output in two locations that you can use to analyze the results of scanning and detection. You can also consolidate these reports for analysis on an enterprise level.

The tool always reports output on the local computer, in the %windir%\system32\VPCache\UpdateScan folder. The output files are Result.txt, UpdateScan.log, Results.xml, and Result.csv. These files are overwritten every time that you run the tool.

The tool also writes output files to the file share that is specified in the Share parameter of the UpdateInstall.ini file. The output files are named ComputerName_Date.txt and ComputerName_Date.csv, where ComputerName is the NetBIOS name of the computer and Date is in the format yyyymmddhhmmss.

The .csv files are in Unicode format. To view these files in Excel, follow these steps:
  1. Start Excel.
  2. On the File menu, click Open.
  3. In the Files of type list, click *.csv.
  4. Click the file that you want to open, and then click Open.
  5. The import wizard will guide you through opening the file.

Result.txt

This file is located in the VPCache\UpdateScan folder on the computer on which the scan was run. The Result.txt file is a human-readable file that logs the progress of the execution of the tool, lists software updates that the tool has determined were missing from the computer, and lists the updates that the tool applied or tried to apply to the computer. This file is useful for manually reviewing the execution of the tool.

Note The tool will only run on currently supported Microsoft operating systems. If you run the tool on an unsupported operating system, you will receive the following message: No checks apply to this system If you receive this message, it means that one of the following conditions is true:
  • The tool is being run on an unsupported operating system.
  • No non-Office products are installed that are vulnerable to the MS04-028 vulnerability.
You must manually verify that the tool is running on a supported operating system. That is, you must verify that the combination of operating system and operating system service pack is supported. If the detection tool determines that no updates are required on the system, the following text will be in the Result.txt file:

no missing updates detected

This text indicates that the operating system and all applicable applications are correctly updated.

The Result.txt file contains information about all products that are detected and updated by the tool.

UpdateScan.log

This file is located in the VPCache\UpdateScan folder on the computer where the scan was run. The UpdateScan.log file is primarily a debug log file of the execution of the tool. It is not practical for most users to use this file to capture useful information about the execution of the tool.

Results.xml

This file is located in the VPCache\UpdateScan folder on the computer where the scan was run. You can use the Results.xml file to aggregate data about non-Office updates across an enterprise. In particular, the "Status" field indicates whether a particular update is Applicable or Installed.

The XML file will not contain any data that is relevant to Office updates. For more information about Office updates, review the OfficeUpdate.MOF file in the NSHC folder.

OfficeUpdate.MOF

This file is located in the VPCache\UpdateScan\NSHC folder. The OfficeUpdate.MOF file lists the results from the Office Detection Tool. It complements the output in the Results.xml file.

Result.csv

This file is located in the VPCache\UpdateScan folder on the computer where the scan was run. The Result.csv file is a comma-delimited text file that you can use to aggregate data across an enterprise. It contains a header line that indicates the order of fields in the file, and one line for each affected product that was detected during the scan.

The following table describes the fields that are in the file:
FieldDescription
computerNameThe NetBIOS name of the computer.
ScanDate The date of the scan, in WMI date format. For more information about the WMI date format, visit the following Microsoft Developer Network Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/date_and_time_format.asp

Operating System The operating system, including the service pack.
Product The name of the affected product that the tool detected on the computer. Multiple affected products may be detected on a computer.
Title The title of the Microsoft Knowledge Base article that applies to the detected product.
KB The Microsoft Knowledge Base article number that applies to the detected product.
Status The status of the update for the detected product. The Status field will be one of the following values:

Applicable
Installed
LocaleID The locale of the affected product.
Binary The file name of the update executable file.
BinPathThe path from which the binary can be downloaded from the Microsoft Web site.
The Result.csv file contains information about all products that are detected and updated by the tool.

The Status field indicates whether a required update is present. A status of "Applicable" indicates that the tool has detected a product with the MS04-028 vulnerability that has not been updated. A status of "Installed" indicates that the update is on the computer.

If updates are required on a computer, the tool will show a status of "Applicable" for each vulnerable product. Then, it will start the appropriate update installer. To verify that the updates were successfully installed, you must run the tool again and then verify that the status for all products is "Installed."

Note Microsoft may add fields to the .csv file in the future. But Microsoft will not change the order or the format of existing fields that are documented in this article.

ComputerName_Date.txt

This file is saved to the Results file share that is specified in the UpdateInstall.ini file. The ComputerName_Date.txt file is a copy of the Result.txt file that is saved to the local computer.

ComputerName_Date.csv

This file is saved to the Results file share that is specified in the UpdateInstall.ini file. The ComputerName_Date.csv file is a copy of the Result.csv file that is saved to the local computer.

back to the top

Consolidate data from multiple computers

Enterprise customers may want to consolidate the output data from multiple computers into an easy to read report, a database, or another format for purposes of reporting or compliance checking. Because of diverse customer requirements, Microsoft has not provided a centralized reporting solution with the tool. However, the .csv files that are saved to a centralized file share were designed to make such centralized reporting possible.

back to the top

Uninstall the tool

To uninstall the tool from client computers, delete the %windir%\system32\VPCache\UpdateScan folder.

back to the top

Limitations

  • You must run the MS04-028 Enterprise Update Scanning Tool under the Administrator or System context.
  • This tool has been tested on Windows 2000 and later operating systems with supported service packs only. When the tool is run in an unsupported operating system configuration such as Windows 2000 Service Pack 2 (SP2), you receive the following message:No checks apply to this system
  • This tool performs local scans only.
  • If you have used the administrative installation point to deploy Office products, you must continue to use that method of deployment. However, you can use this tool to obtain a scanning report.
  • This tool does not provide detection for third-party applications that may be using a vulnerable version of the GDI+ component. For more information, see the MS04-028 security bulletin.
  • Any modification or customization of the tool is not permitted under the End User License Agreement (EULA).
  • Microsoft only supports the MS04-028 Enterprise Update Scanning Tool by executing the Updateinstall.vbs script. Any other entry point into the tool is unsupported.
  • To run the tool on Windows NT 4.0 Server-based computers, you must have the following components installed on the computer. If these components are not present, the tool will not run correctly, and no output reports will be generated:
  • In certain circumstances, you may be prompted for the source location of Office files during detection. If this behavior occurs, make sure that Windows Installer 2.0 is installed on the computer. Windows Installer 2.0 is required for the Office updates according to the MS04-028 security bulletin.
  • The tool has only been tested on supported operating systems with supported versions of affected products. The tool may report inaccurate information or may not report information about unsupported products. For more information about supported product versions, see the following Microsoft Web sites:

    Windows Life-Cycle Policy
    http://www.microsoft.com/windows/lifecycle/default.mspx

    Product Lifecycle Dates - Windows Product Family
    http://support.microsoft.com/gp/lifeselect

  • The tool requires MSXML (Microsoft XML Parser) 3.0 to be present on any computer on which it is run. MSXML 3.0 is installed by Internet Explorer 6 and Internet Explorer 6 SP1. MSXML 3.0 is also part of Windows Server 2003. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    269238 Version list for the Microsoft XML parser

  • The tool requires Internet Explorer 6 or Internet Explorer 6 SP1. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

    328548 How to obtain the latest service pack for Internet Explorer 6

back to the top

Frequently asked questions

Q1: Why does my Result.txt report say "No checks apply to this system" but still indicates that Office updates are required?

A1: The Enterprise Update Scanning Tool internally is made up of two parts. One part scans the operating system and non-Office applications, and the second part performs a scan of Office applications. This message indicates that the non-Office scanner did not find any updates that must be applied to the computer.

This message does not necessarily mean that no updates are required. The computer may have an operating system that is not vulnerable yet Office products that are vulnerable may be installed on the computer. In this case, you will see indications in the Result.txt from the Office scan that updates are required.

You may also receive this message if you are running the tool on an unsupported platform. That is, the combination of operating system and service pack is not supported. The tool will only perform the non-Office scan on a supported platform.

Important You must verify that you are running a supported platform if you receive this message. You may have vulnerable products installed that are not updated by the tool if you are running an operating system that is not supported by the tool.

Q2: I have Visual Studio .NET 2003 installed on Windows XP SP1. Why does the tool only detect the operating system update for MS04-028 on my computer and not the Visual Studio .NET update?

A2: If you are running Windows XP or Windows Server 2003, you only have to install the updates for the operating system and Office products. You do not have to install the updates for other Microsoft products. These products use the version of GDI+ that is supplied by the operating system. However, if you have deployed third-party applications that use GDI+, see the software vendor for more guidance.

Q3: I have deployed internally developed applications that use GDI+. Will the tool update these applications?

A3: No. The tool will only detect and update Microsoft products. If you have third-party applications that use GDI+, these applications may be vulnerable. For more information about how to make sure that non-Microsoft products are correctly updated to help protect against this vulnerability, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnsecure/html/gdiplus10security.asp

Q4: How do I verify that all updates have been applied to a computer?

A4: After you run the tool and the tool installs updates, run the tool again to verify the installation of updates. The Result.txt file should indicate "No missing updates detected" when all applicable updates have been successfully installed on the computer.

Note If any updates require a restart of the computer, the tool will only detect these updates as being installed after the restart is performed.

Alternatively, you may examine the .csv file. If the .csv file shows no updates with a status of "Applicable," and if the platform is a supported platform, the computer is fully updated. A .csv file with only a header row does meet the criteria of a .csv file that shows no updates with a status of "Applicable."

Q5: The tool is producing no output. What is happening?

A5: Make sure that the client computer meets all the prerequisites that are listed in the Limitations section.

Q6: One or more updates is not being applied and I receive a 1603 error in the Result.txt file. What does this mean?

A6: The most common cause of a 1603 error is that the installer cannot find the original install source of the affected application. Under some circumstances, the original installation media is required. If you deployed one of these applications from a file share on your network, make sure that the client computer can access the original file share and that the original file share has the original installation files.

back to the top
Modification Type:MajorLast Reviewed:8/24/2006
Keywords:KbSECTools KbSECVulnerability kbSecurity KB886988 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.