Mbsacli lets you configure and initiate scans from a command line and more powerfully automate scans by using batch files and scripts. You can run Mbsacli in MBSA mode or HFNetChk mode. The more comprehensive MBSA mode checks for system and application vulnerabilities and missing patches and writes the scan results to an XML file.
The HFNetChk mode checks only for missing patches and doesn't save the results to an XML file. You run Mbsacli in HFNetChk mode by specifying the /hf parameter, as in
mbsacli /hf \[HFNetChk parameters\]
The HFNetChk mode has more parameters than MBSA mode, which makes HFNetChk mode more flexible than MBSA mode. For example, MBSA mode doesn't let you specify a text file that contains a list of computers to scan as HFNetChk mode does. Additionally, HFNetChk mode lets you scan with alternate permissions. To see lists of the two modes' parameters, type the following two commands:
mbsacli /? mbsacli /hf /?
Fun with Mbsacli
When a security update is installed on a computer, Windows records the installation in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix registry subkey. Very basic patch scanners might query only this location for the absence of security patches. However, this check might not be adequate. For example, you might apply a patch to Microsoft IIS, then later remove and reinstall IIS, which might copy unpatched files back to the server. But the registry might still show that the patch is installed.
The mssecure_1003.cab file used by MBSA contains file version and checksum information in addition to the registry information for a particular security update. MBSA first looks for the patch in the registry (you can suppress this check by running the tool with the /hf -z switch), then looks on the system for each file associated with the patch and compares it with data contained in the Mssecure file. If the file version or checksum differs, MBSA reports the patch as missing. To speed up your scans, you can run them without checksum checking by specifying the -nosum parameter, which instructs MBSA to check the file versions but not the checksums. This parameter is available in both Mbsacli's MBSA mode and HFNetChk mode.
To scan multiple targets, run Mbsacli as follows in MBSA mode:
mbsacli /c 2k3,2ksrv,dc5,xppro
or as follows in HFNetChk mode:
mbsacli /hf -h 2k3,2ksrv,dc5,xppro
There should be no spaces between the comma-delimited host names.
If you run the scan in HFNetChk mode (with the /hf parameter), instead of specifying the hosts as part of the command line, you can specify as many as 256 hosts in a text file (one host per line) and then execute the file by specifying the file name on the -fh parameter. For example, you could have a file named hostlist.txt that contains the following host names:
2k3 2ksrv dc5 xppro
To scan these hosts by using Mbsacli in HFNetChk mode, you could use the following command:
mbsacli /hf -fh c:\hostlist.txt -nosum -z
This command instructs Mbsacli to scan the computers listed in the text file and disables checksum processing and registry processing. Only the file versions will be checked.
If you have more than 256 computers, an MBSA sample script named batchscan.js breaks a list of any length into smaller lists of 128 computers, which the script then uses Mbsacli to process. For example, you could use Microsoft Active Directory Service Interfaces (ADSI) to create a list of computers from your domain (or a specific organizational unit-OU) in one large text file and then use Batchscan to process this list to scan each computer.
Instead of specifying host names, you can direct Mbsacli to read a text file of IP addresses by using the HFNetChk -fip filename parameter. By default, MBSA scans for all missing security updates, and each security update has an associated article number that begins with Q. You can direct Mbsacli to ignore certain Q numbers by inserting the numbers in a text file, then specifying the name of that file on the -fq parameter. The -fip and -fq parameters are available only in HFNetChk mode.
When you run scans using the /hf parameter, the results are output to the screen as Web Figure B shows. This is useful if you're running the scanner interactively, but if you want to schedule the scanner to regularly run by itself, you can redirect the output to a file by using the -f outfile parameter. Remember that HFNetChk mode doesn't log results as XML files to the %userprofile%/securityscans folder.
