To patch or not to patch is one of the most significant security decisions made in everyday computing. Administrators know from experience that patches often introduce unexpected problems, creating instability and possibly downtime. When patches are installed, the process of deploying them to every host in the enterprise can be enormously time consuming, as a patch that causes no problems for one host may damage another. For these and other reasons, it is important that patching be done carefully and purposefully, with tools that you fully comprehend and control.
Fortunately, Microsoft has introduced, with Windows 2000 Professional Service Pack 3 (and provided with Windows XP), a Windows Update Agent API that enables you to exercise more control over the Windows Update process. Documentation for the WUA API can be found in the Platform SDK or at the following URL:
Visual Basic Script can be used to write to the WUA API because it has been implemented as Automation-compliant COM objects, interfaces, and collections. The following script can be used to access the basic Windows Update functionality from a command line. It retrieves a list of patches and new software that have not yet been installed on the host, downloads as many of them as possible, and displays a list of the downloaded updates. Enter the number of the patch to install and press Enter, and this script will invoke the installation process for the selected update.
Set us = CreateObject("Microsoft.Update.Session") Set updates = CreateObject("Microsoft.Update.UpdateColl") Set download = us.CreateUpdateDownloader() Set usearch = us.CreateupdateSearcher() Set usresult = usearch.Search("IsInstalled=0 and Type='Software'") For a = 0 to usresult.Updates.Count - 1 Set patch = usresult.Updates.Item(a) updates.Add(patch) Next download.Updates = updates download.Download() For a = updates.Count - 1 to 0 step -1 Set patch = updates.Item(a) If patch.IsDownloaded = false Then WScript.Echo "Failed to download: " & patch.Title & vbCRLF updates.RemoveAt(a) End If Next WScript.Echo "Patches Downloaded and Available to Install:" & vbCRLF For a = 0 to updates.Count - 1 Set patch = updates.Item(a) WScript.Echo a + 1 & ": " & patch.Title & vbCRLF Next WScript.Echo WScript.Echo "Select Patch to Install: " selection = WScript.StdIn.Readline If IsNumeric(selection) Then If Int(selection) <= updates.Count Then Set install = us.CreateUpdateInstaller() Set patch = updates.Item(selection - 1) updates.Clear() updates.Add(patch) install.Updates = updates Set installed = install.Install() If installed.ResultCode = 2 Then WScript.Echo "Installation Completed." & vbCRLF Else WScript.Echo "Installation Error! Code: " & installed.ResultCode & vbCRLF End If If installed.RebootRequired = true Then WScript.Echo "You Must Reboot for Patch to Take Effect." & vbCRLF End If Else WScript.Echo "Invalid Selection." & vbCRLF End If Else WScript.Echo "No Patches Installed." & vbCRLF End If
The Windows Update Agent stores the downloaded patches and software updates so that next time the script is executed, they need not be downloaded again. All available patches and updates that can be downloaded from Windows Update can thus be installed, one at a time, using the script provided in this article.
It has long been a source of frustration for many security admins that you had to use Internet Explorer in order to use Windows Update. With the Windows Update Agent API, this problem has been effectively resolved. You can now selectively install patches from the command line, and fine-tune or automate your policies and procedures for deploying patches from Microsoft.
Jason Coombs is Director of Forensic Services for PivX Solutions Inc. (NASDAQ OTCBB: PIVX), a provider of security solutions, computer forensics, and expert witness services. Reach him at [email protected].