Re: [H] Offline Windows Updater
With perl you could just parse the c:\windows\WindowsUpdate.log and after you check and see no patches found then you could just delete the startup script. I am sure it would be really easy to determine that even if its a hack like checking for the existence of a file or something. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j maccraw Sent: Thursday, February 21, 2008 11:50 AM To: hardware@hardwaregroup.com Subject: Re: [H] Offline Windows Updater Totally doable if you use a INF instead of a REG to do the patching so you have a control over setting or reverting the settings by simply changing the parameters of the call to the INF. Initiate the setup call the INF install with GUIRunOnce in WINNT.SIF. As to how to automatically detect when all updates are installed I'm stumped but removing is as simple as calling the same command with a different section. "To invoke the INF Add a line to $OEM$\Cmdlines.txt to invoke the INF you created from the sysdff difference file. The command is of the same form as you would use to invoke any Windows 95-style INF. The format is as follows: "RUNDLL32 syssetup,SetupInfObjectInstallAction section 128 inf" where: Section specifies the name of the section in the INF file. Inf specifies the name of the INF file. This should be specified as a relative path to avoid invoking Setup's default INF rules, which look for an unqualified filename in the system inf directory instead of the current directory. For example, specify ..\newtools.inf, not just newtools.inf. The command is always enclosed in double quotation marks. " Mesdaq, Ali wrote: > Greg your the Man! Thanks for the reg key info and the "wuaclt > /detectnow" info. I remember there was a command line way to force it to > check but too lazy to look for it. So you answered my laziness for me. > > I think a combination of nLite customized xp install to include > something's in the install like perl or whatever scripting language can > really automate this whole process so the computer keeps checking for > updates on start up until there are none left and deletes itself and > changes reg keys back to normal. > > Thanks, > -- > Ali Mesdaq (CISSP, GIAC-GREM) > Security Researcher II > Websense Security Labs > http://www.WebsenseSecurityLabs.com > -- > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Greg Sevart > Sent: Wednesday, February 20, 2008 11:23 AM > To: hardware@hardwaregroup.com > Subject: Re: [H] Offline Windows Updater > > Some other useful notes: > > "net stop wuauserv" stops the Automatic Updates (AU) service so it will > pick up the new config. Change to start, obviously, to restart it. > > "wuauclt /detectnow" forces AU to detect if updates are needed > immediately. > > c:\windows\WindowsUpdate.log provides a verbose log file of AU activity. > > Greg > >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:hardware- >> [EMAIL PROTECTED] On Behalf Of Thane Sherrington >> Sent: Wednesday, February 20, 2008 1:13 PM >> To: hardware@hardwaregroup.com >> Subject: Re: [H] Offline Windows Updater >> >> At 03:04 PM 20/02/2008, Greg Sevart wrote: >>> Oh, absolutely. You also don't need a domain and group policy--you >> just use >>> a .reg file to add the WSUS server info, then delete the key when >> you're >>> fully patched. We use it internally to bring new machines up to date >>> -before- joining the corporate domain. >> Awesome. This is going to be a huge time saver for me. I owe you. >> >> T > > > > > > Protected by Websense Messaging Security -- www.websense.com > > Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Re: [H] Offline Windows Updater
Totally doable if you use a INF instead of a REG to do the patching so you have a control over setting or reverting the settings by simply changing the parameters of the call to the INF. Initiate the setup call the INF install with GUIRunOnce in WINNT.SIF. As to how to automatically detect when all updates are installed I'm stumped but removing is as simple as calling the same command with a different section. "To invoke the INF Add a line to $OEM$\Cmdlines.txt to invoke the INF you created from the sysdff difference file. The command is of the same form as you would use to invoke any Windows 95-style INF. The format is as follows: "RUNDLL32 syssetup,SetupInfObjectInstallAction section 128 inf" where: Section specifies the name of the section in the INF file. Inf specifies the name of the INF file. This should be specified as a relative path to avoid invoking Setup's default INF rules, which look for an unqualified filename in the system inf directory instead of the current directory. For example, specify ..\newtools.inf, not just newtools.inf. The command is always enclosed in double quotation marks. " Mesdaq, Ali wrote: > Greg your the Man! Thanks for the reg key info and the "wuaclt > /detectnow" info. I remember there was a command line way to force it to > check but too lazy to look for it. So you answered my laziness for me. > > I think a combination of nLite customized xp install to include > something's in the install like perl or whatever scripting language can > really automate this whole process so the computer keeps checking for > updates on start up until there are none left and deletes itself and > changes reg keys back to normal. > > Thanks, > -- > Ali Mesdaq (CISSP, GIAC-GREM) > Security Researcher II > Websense Security Labs > http://www.WebsenseSecurityLabs.com > -- > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Greg Sevart > Sent: Wednesday, February 20, 2008 11:23 AM > To: hardware@hardwaregroup.com > Subject: Re: [H] Offline Windows Updater > > Some other useful notes: > > "net stop wuauserv" stops the Automatic Updates (AU) service so it will > pick up the new config. Change to start, obviously, to restart it. > > "wuauclt /detectnow" forces AU to detect if updates are needed > immediately. > > c:\windows\WindowsUpdate.log provides a verbose log file of AU activity. > > Greg > >> -Original Message- >> From: [EMAIL PROTECTED] [mailto:hardware- >> [EMAIL PROTECTED] On Behalf Of Thane Sherrington >> Sent: Wednesday, February 20, 2008 1:13 PM >> To: hardware@hardwaregroup.com >> Subject: Re: [H] Offline Windows Updater >> >> At 03:04 PM 20/02/2008, Greg Sevart wrote: >>> Oh, absolutely. You also don't need a domain and group policy--you >> just use >>> a .reg file to add the WSUS server info, then delete the key when >> you're >>> fully patched. We use it internally to bring new machines up to date >>> -before- joining the corporate domain. >> Awesome. This is going to be a huge time saver for me. I owe you. >> >> T > > > > > > Protected by Websense Messaging Security -- www.websense.com > > Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Re: [H] Offline Windows Updater
Even easier. Just nuke the key completely when you're done. The AU key to use WSUS is most definitely under HKLM. Perhaps "standard" Windows Updates doesn't use it at all, so simply deleting it should revert back to that functionality. > -Original Message- > From: [EMAIL PROTECTED] [mailto:hardware- > [EMAIL PROTECTED] On Behalf Of Wayne Johnson > Sent: Thursday, February 21, 2008 2:36 AM > To: hardware@hardwaregroup.com > Subject: Re: [H] Offline Windows Updater > > At 02:04 PM 2/20/2008, Greg Sevart typed: > >You'll want to save out the > >HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate > > I have no such key under HKLM to save out but I do under HKCU. > > > ---+-- > I'm a geek that loves to tweak.
Re: [H] Offline Windows Updater
Greg your the Man! Thanks for the reg key info and the "wuaclt /detectnow" info. I remember there was a command line way to force it to check but too lazy to look for it. So you answered my laziness for me. I think a combination of nLite customized xp install to include something's in the install like perl or whatever scripting language can really automate this whole process so the computer keeps checking for updates on start up until there are none left and deletes itself and changes reg keys back to normal. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Sevart Sent: Wednesday, February 20, 2008 11:23 AM To: hardware@hardwaregroup.com Subject: Re: [H] Offline Windows Updater Some other useful notes: "net stop wuauserv" stops the Automatic Updates (AU) service so it will pick up the new config. Change to start, obviously, to restart it. "wuauclt /detectnow" forces AU to detect if updates are needed immediately. c:\windows\WindowsUpdate.log provides a verbose log file of AU activity. Greg > -Original Message- > From: [EMAIL PROTECTED] [mailto:hardware- > [EMAIL PROTECTED] On Behalf Of Thane Sherrington > Sent: Wednesday, February 20, 2008 1:13 PM > To: hardware@hardwaregroup.com > Subject: Re: [H] Offline Windows Updater > > At 03:04 PM 20/02/2008, Greg Sevart wrote: > >Oh, absolutely. You also don't need a domain and group policy--you > just use > >a .reg file to add the WSUS server info, then delete the key when > you're > >fully patched. We use it internally to bring new machines up to date > >-before- joining the corporate domain. > > Awesome. This is going to be a huge time saver for me. I owe you. > > T Protected by Websense Messaging Security -- www.websense.com
Re: [H] Offline Windows Updater
Some other useful notes: "net stop wuauserv" stops the Automatic Updates (AU) service so it will pick up the new config. Change to start, obviously, to restart it. "wuauclt /detectnow" forces AU to detect if updates are needed immediately. c:\windows\WindowsUpdate.log provides a verbose log file of AU activity. Greg > -Original Message- > From: [EMAIL PROTECTED] [mailto:hardware- > [EMAIL PROTECTED] On Behalf Of Thane Sherrington > Sent: Wednesday, February 20, 2008 1:13 PM > To: hardware@hardwaregroup.com > Subject: Re: [H] Offline Windows Updater > > At 03:04 PM 20/02/2008, Greg Sevart wrote: > >Oh, absolutely. You also don't need a domain and group policy--you > just use > >a .reg file to add the WSUS server info, then delete the key when > you're > >fully patched. We use it internally to bring new machines up to date > >-before- joining the corporate domain. > > Awesome. This is going to be a huge time saver for me. I owe you. > > T
Re: [H] Offline Windows Updater
At 03:04 PM 20/02/2008, Greg Sevart wrote: Oh, absolutely. You also don't need a domain and group policy--you just use a .reg file to add the WSUS server info, then delete the key when you're fully patched. We use it internally to bring new machines up to date -before- joining the corporate domain. Awesome. This is going to be a huge time saver for me. I owe you. T
Re: [H] Offline Windows Updater
Oh, absolutely. You also don't need a domain and group policy--you just use a .reg file to add the WSUS server info, then delete the key when you're fully patched. We use it internally to bring new machines up to date -before- joining the corporate domain. Here's a sample wsus-enable.reg file: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate] "WUServer"="http://[wsus-server]:[port]"; "WUStatusServer"="http://[wsus-server]:[port]"; [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] "NoAutoRebootWithLoggedOnUsers"=dword:0001 "NoAutoUpdate"=dword: "AUOptions"=dword:0004 "ScheduledInstallDay"=dword: "ScheduledInstallTime"=dword:0009 "RebootRelaunchTimeoutEnabled"=dword:0001 "RebootRelaunchTimeout"=dword:003c "RescheduleWaitTimeEnabled"=dword:0001 "RescheduleWaitTime"=dword:001e "UseWUServer"=dword:0001 You'll want to save out the HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate key before doing this to re-set back to standard updates. Save it out as something like wsus-disable.reg and just run it on machines (along with a REG DELETE beforehand?) after you're patched. There's nothing system-unique in this key; one export should work for all Windows machines. Greg > -Original Message- > From: [EMAIL PROTECTED] [mailto:hardware- > [EMAIL PROTECTED] On Behalf Of Thane Sherrington > Sent: Wednesday, February 20, 2008 12:17 PM > To: hardware@hardwaregroup.com > Subject: Re: [H] Offline Windows Updater > > At 01:58 PM 20/02/2008, Mesdaq, Ali wrote: > >I would be very hesitant to trust some free tool. But if you could > >install with a xp sp2 install then connect to your own internal WSUS > >server for updates post install patching could go from 2hrs to 20min. > > Can I use an WSUS server in a repair shop? Everything I've read says > it won't work, or if it does, may/will screw up doing Windows update > from home. > > T
Re: [H] Offline Windows Updater
nLite has it's place when making custom install XP CD's. Autopatcher was quite good and is not dead but rather they've been forced to change tack by scripting the downloads (to come direct from M$ servers) needed to create the packages. Right now it looks like the downloader has some issues with stalling and I would not be surprised if M$ is causing that on purpose. Personally I still start with the AP August 2007 core if I reinstall or patch a system because it's just that much less I have to download. I'll have to look into this other patcher but I think they made themselves known on the AP forums & were brushed aside. Mesdaq, Ali wrote: > I would 2nd not using 3rd party tools for this kind of stuff unless its > a up to business par. I worked for a company who was the pioneer of > windows patch management and trust me its a VERY hard thing to do right > I would be very hesitant to trust some free tool. But if you could > install with a xp sp2 install then connect to your own internal WSUS > server for updates post install patching could go from 2hrs to 20min. > > One cool tool I found and actually used was nLite. Anyone else here use > that before? I only used it once but worked good that one time. But I > can't really vouch for it as a tool to run your business on but if > anyone wants to play with it and let us know what you think I would love > to hear. > > Thanks, > -- > Ali Mesdaq (CISSP, GIAC-GREM) > Security Researcher II > Websense Security Labs > http://www.WebsenseSecurityLabs.com > -- > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Greg Sevart > Sent: Wednesday, February 20, 2008 5:48 AM > To: hardware@hardwaregroup.com > Subject: Re: [H] Offline Windows Updater > > Thane, > > I'm actually kinda surprised you don't just run an internal WSUS server > for in-house patching. I've always preferred it over third party tools. > Sure, it still requires multiple reboots, but at least pulling updates > is nearly instantaneous. After a couple botched systems caused by > Autopatcher, I just don't trust those tools to get the dependencies > right. > > It doesn't help much "in the field" so to speak, but could certainly > assist in-house. > > Greg > >> -Original Message----- >> From: [EMAIL PROTECTED] [mailto:hardware- >> [EMAIL PROTECTED] On Behalf Of Thane Sherrington >> Sent: Wednesday, February 20, 2008 7:34 AM >> To: hardware@hardwaregroup.com >> Subject: Re: [H] Offline Windows Updater >> >> Hi Brian, >> Thanks for the tip, I'm definitely going to try this out. >> >> T >> Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Re: [H] Offline Windows Updater
At 01:58 PM 20/02/2008, Mesdaq, Ali wrote: I would be very hesitant to trust some free tool. But if you could install with a xp sp2 install then connect to your own internal WSUS server for updates post install patching could go from 2hrs to 20min. Can I use an WSUS server in a repair shop? Everything I've read says it won't work, or if it does, may/will screw up doing Windows update from home. T
Re: [H] Offline Windows Updater
I would 2nd not using 3rd party tools for this kind of stuff unless its a up to business par. I worked for a company who was the pioneer of windows patch management and trust me its a VERY hard thing to do right I would be very hesitant to trust some free tool. But if you could install with a xp sp2 install then connect to your own internal WSUS server for updates post install patching could go from 2hrs to 20min. One cool tool I found and actually used was nLite. Anyone else here use that before? I only used it once but worked good that one time. But I can't really vouch for it as a tool to run your business on but if anyone wants to play with it and let us know what you think I would love to hear. Thanks, -- Ali Mesdaq (CISSP, GIAC-GREM) Security Researcher II Websense Security Labs http://www.WebsenseSecurityLabs.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Sevart Sent: Wednesday, February 20, 2008 5:48 AM To: hardware@hardwaregroup.com Subject: Re: [H] Offline Windows Updater Thane, I'm actually kinda surprised you don't just run an internal WSUS server for in-house patching. I've always preferred it over third party tools. Sure, it still requires multiple reboots, but at least pulling updates is nearly instantaneous. After a couple botched systems caused by Autopatcher, I just don't trust those tools to get the dependencies right. It doesn't help much "in the field" so to speak, but could certainly assist in-house. Greg > -Original Message- > From: [EMAIL PROTECTED] [mailto:hardware- > [EMAIL PROTECTED] On Behalf Of Thane Sherrington > Sent: Wednesday, February 20, 2008 7:34 AM > To: hardware@hardwaregroup.com > Subject: Re: [H] Offline Windows Updater > > Hi Brian, > Thanks for the tip, I'm definitely going to try this out. > > T > > At 09:06 AM 20/02/2008, Brian Weeden wrote: > >Having going through the a&&pain of multiple reboots and patching for > >a new windows install too many times myself, I wanted to pass along > >this little gem that I don't think has been mentioned here before: > > > >http://www.heise-online.co.uk/security/Do-it-yourself-Service-Pack-- > /features/80682 > > > >It's an offline updater for Windows, reminiscent of the now defunct > >Autopatcher. You download it, tell it which windows products (OS > >and/or Office), versions, and languages you want, and it will > >download all the patches and service packs and put them into one > >burnable CD or DVD. > > > >The download link for the latest version is here: > > > >http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml > > > >Lifesaver. > > > >--- > >Brian Protected by Websense Messaging Security -- www.websense.com
Re: [H] Offline Windows Updater
At 07:06 2/20/2008, Brian Weeden, wrote: >Having going through the a&&pain of multiple reboots and patching for >a new windows install too many times myself, I wanted to pass along >this little gem that I don't think has been mentioned here before: > >http://www.heise-online.co.uk/security/Do-it-yourself-Service-Pack--/f >eatures/80682 > >It's an offline updater for Windows, reminiscent of the now defunct >Autopatcher. You download it, tell it which windows products (OS >and/or Office), versions, and languages you want, and it will download >all the patches and service packs and put them into one burnable CD or >DVD. > >The download link for the latest version is here: > >http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml > >Lifesaver. > >--- >Brian Or, if you like to pick and choose: http://www.msfn.org/board/index.php?act=SF&f=129 Start Here to Find It Fast! -> http://www.US-Webmasters.com/best-start-page/ $8.77 Domain Names -> http://domains.us-webmasters.com/
Re: [H] Offline Windows Updater
Yes, AFAIK you need to log the machine into a domain, have it accept a group policy that sets the update repo path, do the updates, and then disjoin it from the domain and pray that the GP doesn't stick around after that. Thane Sherrington wrote: At 09:48 AM 20/02/2008, Greg Sevart wrote: Thane, I'm actually kinda surprised you don't just run an internal WSUS server for in-house patching. I've always preferred it over third party tools. Sure, it still requires multiple reboots, but at least pulling updates is nearly instantaneous. After a couple botched systems caused by Autopatcher, I just don't trust those tools to get the dependencies right. It doesn't help much "in the field" so to speak, but could certainly assist in-house. I understood that in order to use a WSUS server, I'd have to log the machine to be updated into my server. Then I'd have to convince the machine to go back to normal Windows Updates when the customer takes the computer home. I've done some very basic reading on this, and it doesn't appear anyone has WSUS working in a repair shop setting. If you have some pointers, I'd be interested in giving it a try. T
Re: [H] Offline Windows Updater
Looks nice, just rebuilt 2 PC's this weekend and even using XP with SP2, there were 102 or so updates needed and it takes forever. >>Having going through the a&&pain of multiple reboots and patching for >>a new windows install too many times myself, I wanted to pass along >>this little gem that I don't think has been mentioned here before: >> >>http://www.heise-online.co.uk/security/Do-it-yourself-Service-Pack--/features/80682 >> >>It's an offline updater for Windows, reminiscent of the now defunct >>Autopatcher. You download it, tell it which windows products (OS >>and/or Office), versions, and languages you want, and it will download >>all the patches and service packs and put them into one burnable CD or >>DVD. >> >>The download link for the latest version is here: >> >>http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml >> >>Lifesaver. >> >>--- >>Brian -- JRS <[EMAIL PROTECTED]> Please remove **X** to reply... ...Cleverly Disguised As A Responsible Adult...
Re: [H] Offline Windows Updater
At 09:48 AM 20/02/2008, Greg Sevart wrote: Thane, I'm actually kinda surprised you don't just run an internal WSUS server for in-house patching. I've always preferred it over third party tools. Sure, it still requires multiple reboots, but at least pulling updates is nearly instantaneous. After a couple botched systems caused by Autopatcher, I just don't trust those tools to get the dependencies right. It doesn't help much "in the field" so to speak, but could certainly assist in-house. I understood that in order to use a WSUS server, I'd have to log the machine to be updated into my server. Then I'd have to convince the machine to go back to normal Windows Updates when the customer takes the computer home. I've done some very basic reading on this, and it doesn't appear anyone has WSUS working in a repair shop setting. If you have some pointers, I'd be interested in giving it a try. T
Re: [H] Offline Windows Updater
Thane, I'm actually kinda surprised you don't just run an internal WSUS server for in-house patching. I've always preferred it over third party tools. Sure, it still requires multiple reboots, but at least pulling updates is nearly instantaneous. After a couple botched systems caused by Autopatcher, I just don't trust those tools to get the dependencies right. It doesn't help much "in the field" so to speak, but could certainly assist in-house. Greg > -Original Message- > From: [EMAIL PROTECTED] [mailto:hardware- > [EMAIL PROTECTED] On Behalf Of Thane Sherrington > Sent: Wednesday, February 20, 2008 7:34 AM > To: hardware@hardwaregroup.com > Subject: Re: [H] Offline Windows Updater > > Hi Brian, > Thanks for the tip, I'm definitely going to try this out. > > T > > At 09:06 AM 20/02/2008, Brian Weeden wrote: > >Having going through the a&&pain of multiple reboots and patching for > >a new windows install too many times myself, I wanted to pass along > >this little gem that I don't think has been mentioned here before: > > > >http://www.heise-online.co.uk/security/Do-it-yourself-Service-Pack-- > /features/80682 > > > >It's an offline updater for Windows, reminiscent of the now defunct > >Autopatcher. You download it, tell it which windows products (OS > >and/or Office), versions, and languages you want, and it will download > >all the patches and service packs and put them into one burnable CD or > >DVD. > > > >The download link for the latest version is here: > > > >http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml > > > >Lifesaver. > > > >--- > >Brian
Re: [H] Offline Windows Updater
Hi Brian, Thanks for the tip, I'm definitely going to try this out. T At 09:06 AM 20/02/2008, Brian Weeden wrote: Having going through the a&&pain of multiple reboots and patching for a new windows install too many times myself, I wanted to pass along this little gem that I don't think has been mentioned here before: http://www.heise-online.co.uk/security/Do-it-yourself-Service-Pack--/features/80682 It's an offline updater for Windows, reminiscent of the now defunct Autopatcher. You download it, tell it which windows products (OS and/or Office), versions, and languages you want, and it will download all the patches and service packs and put them into one burnable CD or DVD. The download link for the latest version is here: http://www.heise.de/ct/projekte/offlineupdate/download_uk.shtml Lifesaver. --- Brian