Channels ▼
RSS

Scripting Patch Deployment with WUA API


Scripting Patch Deployment with WUA API

To patch or not to patch is one of the most significant security decisions made in everyday computing. Administrators know from experience that patches often introduce unexpected problems, creating instability and possibly downtime. When patches are installed, the process of deploying them to every host in the enterprise can be enormously time consuming, as a patch that causes no problems for one host may damage another. For these and other reasons, it is important that patching be done carefully and purposefully, with tools that you fully comprehend and control.

Fortunately, Microsoft has introduced, with Windows 2000 Professional Service Pack 3 (and provided with Windows XP), a Windows Update Agent API that enables you to exercise more control over the Windows Update process. Documentation for the WUA API can be found in the Platform SDK or at the following URL:

http://msdn.microsoft.com/library/en-us/wua_sdk/wua/portal_client.asp

Visual Basic Script can be used to write to the WUA API because it has been implemented as Automation-compliant COM objects, interfaces, and collections. The following script can be used to access the basic Windows Update functionality from a command line. It retrieves a list of patches and new software that have not yet been installed on the host, downloads as many of them as possible, and displays a list of the downloaded updates. Enter the number of the patch to install and press Enter, and this script will invoke the installation process for the selected update.

Set us = CreateObject("Microsoft.Update.Session")
Set updates = CreateObject("Microsoft.Update.UpdateColl")
Set download = us.CreateUpdateDownloader()
Set usearch = us.CreateupdateSearcher()
Set usresult = usearch.Search("IsInstalled=0 and Type='Software'")

For a = 0 to usresult.Updates.Count - 1
  Set patch = usresult.Updates.Item(a)
  updates.Add(patch)
Next

download.Updates = updates
download.Download()

For a = updates.Count - 1 to 0 step -1
  Set patch = updates.Item(a)
  If patch.IsDownloaded = false Then
   WScript.Echo "Failed to download: " & patch.Title & vbCRLF
   updates.RemoveAt(a)
  End If
Next

WScript.Echo "Patches Downloaded and Available to Install:" & vbCRLF
For a = 0 to updates.Count - 1
  Set patch = updates.Item(a)
  WScript.Echo a + 1 & ": " & patch.Title & vbCRLF
Next

WScript.Echo
WScript.Echo "Select Patch to Install: "

selection = WScript.StdIn.Readline

If IsNumeric(selection) Then
  If Int(selection) <= updates.Count Then
   Set install = us.CreateUpdateInstaller()
   Set patch = updates.Item(selection - 1)
   updates.Clear()
   updates.Add(patch)
   install.Updates = updates
   Set installed = install.Install()

   If installed.ResultCode = 2 Then
    WScript.Echo "Installation Completed." & vbCRLF
   Else
    WScript.Echo "Installation Error! Code: " & installed.ResultCode & vbCRLF
   End If
   If installed.RebootRequired = true Then
    WScript.Echo "You Must Reboot for Patch to Take Effect." & vbCRLF
   End If
  Else
   WScript.Echo "Invalid Selection." & vbCRLF
  End If
Else
  WScript.Echo "No Patches Installed." & vbCRLF
End If

The Windows Update Agent stores the downloaded patches and software updates so that next time the script is executed, they need not be downloaded again. All available patches and updates that can be downloaded from Windows Update can thus be installed, one at a time, using the script provided in this article.

It has long been a source of frustration for many security admins that you had to use Internet Explorer in order to use Windows Update. With the Windows Update Agent API, this problem has been effectively resolved. You can now selectively install patches from the command line, and fine-tune or automate your policies and procedures for deploying patches from Microsoft.


Jason Coombs is Director of Forensic Services for PivX Solutions Inc. (NASDAQ OTCBB: PIVX), a provider of security solutions, computer forensics, and expert witness services. Reach him at [email protected].



Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.