How to use the October 10, 2006 Enterprise Update Scan Tool (standalone version)

In This Document

Summary Introduction Manually initiated scanning method From a local folder

Analyze the tool output Consolidate data from multiple computers Uninstall the tool Limitations Frequently asked questions

Summary
Microsoft has released the Enterprise Update Scan Tool (the tool) as a detection aid for bulletinclass updates that are not detected by MBSA or the Office Inventory Tool. IT professionals can use the tool to scan computers for the required security updates. The tool can be run from a startup or logon script by a user with local administrator rights. The tool is intended for use in environments where Microsoft Systems Management Server (SMS) or any other enterprise management solution is not used for update management. For SMS users, visit the SMS Web site to obtain the SMS version of the tool. The tool will detect and update the security updates for the following products / bulletins: MS06-056 - Vulnerability in ASP.NET 2.0 Could Allow Information Disclosure (922770) Affected Platforms: .Net Framework 2.0 installed on Windows 2000 SP4 .Net Framework 2.0 installed on Windows XP SP1 or XP SP2 .Net Framework 2.0 installed on Windows Server 2003 RTM or 2003 SP1

Original Release Date: October 10, 2006

Languages: All supported languages The tool will not detect security updates on the following operating systems:

Windows 2000 Service Pack 3 and prior versions Windows NT 4.0 (all versions) Windows 98, Windows 98 SE, and Windows Millennium Edition Windows XP 64-bit Editions Windows Server 2003 64-bit Editions Windows XP Embedded

Introduction
This article contains step-by-step instructions on how to use the tool that is provided with the associated bulletin release. This tool is intended to provide a scanning for the updates that are released with bulletin-class Microsoft Security Response Center issues where SMS or any other enterprise management solution is not used for update management. The steps are provided as an example only. You may have to modify the steps according to the requirements and the limitations of your environment. Manually initiated scanning method To use the tool, the tool must be run by a user account that is a member of the local Administrators group. From a local folder Scanning only
1.

Run the tool installation you obtained from Product Support, and then install it to a local folder. To perform a scan on the local computer, run the following command at a command prompt: UpdateScan.exe /xml:UpdateScan.xml /logfile:UpdateScan.log /loglevel:3 /deleteresults Usage syntax: /xml:UpdateScan.xml Indicates the input filename of the detection manifest /logfile:UpdateScan.log Indicates the troubleshooting log filename /loglevel:3 Indicates the level of detail provided by the log file output /deleteresults Unless specified, subsequent scan results will be appended

2.

to an existing results.xml file Note: Microsofts testing was based on the use of these command line options, and is the only configuration supported by the tool. Future releases may modify command line support, but such changes will be documented.
3.

To see the results, review the log (optional) and the file results.xml. The log will be written to the current working directory, however the results.xml will be written to the folder from which the tool was run. For more information, see the Analyze the tool output section.

Analyze the tool output The tool produces output in two locations (the log file and the xml file) that you can use to analyze the results of scanning and detection. You can also consolidate these reports for analysis on an enterprise level. UpdateScan.log This file is located in the folder on the computer that was the current working directory at the time the tool was run. The UpdateScan.log file is primarily a debug log file of the execution of the tool. It is not practical for most users to use this file to capture useful information about the execution of the tool. Results.xml Once the tool has been run, the results.xml file can be located in the folder on the computer where the scan tool was run. You can use multiple results.xml files captured from other scans to aggregate data for updates across an enterprise. When using the results.xml file, the <Status> field indicates whether a particular update is Applicable or Installed. Applicable indicates that the listed security update is needed and is not installed. Installed indicates that the listed security update is applicable and is successfully installed on the target machine. If a single security update is not applicable within a scan for multiple security updates, the results.xml file will contain no result (neither Applicable nor Installed) for the specific update. This is often the case when an optional vulnerable component is not present on the system which will allow detection for this update to be skipped. Only if none of the security updates are appropriate will the results.xml file return No checks apply to this system. An example of the current output format is provided below (this format is subject to change): <ScanResults> <ScanDateTime>9/16/2004 2:40:30 PM</ScanDateTime> <XMLDataVersion>2004.12.14.0</XMLDataVersion> <ScannedBy>COMPUTER_A \ SYSTEM</ScannedBy> <Machine> <MachineName>COMPUTER_A</MachineName> <Domain>MYDOMAIN</Domain> <Product> <ProductName>WINDOWS 2000 ADVANCED SERVER</ProductName> <Item> <LocaleID>1033</LocaleID> <ItemClass>Patch</ItemClass> <BulletinID>MS0x-00x</BulletinID> <BulletinTitle>Buffer Overrun Could Allow Code Execution (999999)</BulletinTitle> <SQNumber>999999</SQNumber> <BulletinUrl>http://www.microsoft.com/technet/security/bulletin/ MS0x-00x.mspx</BulletinUrl>

<DownloadURL>n/a</DownloadURL> <Description></Description> <Status>Applicable</Status> <ItemType></ItemType> <DatePosted></DatePosted> <DateRevised></DateRevised> <UnattendSyntax>/q /z</UnattendSyntax> </Item> </Product> </Machine> </ScanResults> Consolidate data from multiple computers Enterprise customers may want to consolidate the output data from multiple computers into an easy to read report, a database, or another format for purposes of reporting or compliance checking. Because of diverse customer requirements, Microsoft has not provided a centralized reporting solution with the tool. However, the xml files that are saved by the scanning tool can be imported into a database for centralized reporting.

Uninstall the tool To uninstall the tool from client computers, delete the folder you used when installing the tool originally.

Limitations

You must run the Enterprise Update Scan Tool under an account having local Administrative rights or System context. This tool has been tested on supported products and configurations only. When the tool is run in an unsupported operating system configuration such as Windows 2000 Service Pack 2 (SP2), you receive the following message: No checks apply to this system

This tool produces results only in English, although the detection capability is provided for each affected language of the monthly updates being released (as listed in the summary section of this document.) This tool performs local scans only. This tool does not provide detection for third-party applications that may be using a vulnerable version of the affected component. Any modification or customization of the tool or detection manifest (xml file) is not permitted under the End User License Agreement (EULA). The tool has only been tested on supported operating systems with supported versions of affected products. The tool may report inaccurate information or may not report information about unsupported products. For more information about supported product versions, see the following Microsoft Web sites:

Windows Life-Cycle Policy http://www.microsoft.com/windows/lifecycle/default.mspx Product Lifecycle Dates - Windows Product Family http://support.microsoft.com/default.aspx?scid=fh;%5Bln%5D;LifeWin

The tool requires MSXML (Microsoft XML Parser) 3.0 to be present on any computer on which it is run. MSXML 3.0 is installed by Internet Explorer 6 and Internet Explorer 6 SP1. MSXML 3.0 is also part of Windows Server 2003. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: 269238 Version list for the Microsoft XML parser

Frequently asked questions Q1: Why does my results.xml report say "No checks apply to this system"? A1: You may receive this message if you are running the tool on a platform that is not one of the affected products listed in the bulletin. That is, either the combination of operating system and service pack is not supported or not vulnerable, or the affected product or component is not installed. Important: You must verify that you are running a supported platform if you receive this message. You may have vulnerable products installed that are not updated by the tool if you are running an operating system that is not supported by the tool. Q2: How do I verify that all updates have been applied to a computer? A2: After you run the tool to detect needed updates, and updates have been installed, run the tool again to verify the patch status for all updates. For each relevant security update, the appropriate patch status will be provided (either Installed or Applicable). No patch status will be provided for updates that are not appropriate for a target machine (such as when an optional, vulnerable component is not present). If none of the security updates are appropriate for the target machine, the results.xml file will return No checks apply to this system. Note If any updates require a restart of the computer, the tool will only detect these updates as being installed after the restart is performed. Q3: The tool is producing no output. What is happening? A3: Make sure that the client computer meets all the prerequisites that are listed in the Limitations section.

Copyright Information
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

 1994-2006 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.