Skip navigation

Scan Your Network for Missing Office Updates

The Office Update Inventory Tool picks up where MBSA leaves off


Given the various worms, viruses, and exploits that target Microsoft Office components, keeping Office patched is almost as important as patching Windows is to your network's security. Together, Microsoft Baseline Security Analyzer (MBSA) and Windows Server Update Services (WSUS) do a good job of automating the process of managing Windows patches, but MBSA can scan only the local computer for missing Office patches.

Microsoft's Office Update Inventory Tool 2.1 gives you a way to scan your entire network for missing Office 2000 Service Release 1a (SR-1a) and later patches. This free tool can generate a report of missing Office updates for a group of computers. Although each computer must execute the tool locally, the inventory tool, unlike MBSA, can consolidate the scan results of all your computers into one actionable report.

Office Update Inventory Tool
The Office Update Inventory Tool comprises two executables: inventory.exe and convert.exe. Inventory.exe scans the local computer for Office applications and determines which applications are present, what updates are applicable to each application, and which of those updates have been installed. The Inventory component then creates a log file containing this information, names the file after the computer, and stores it in the specified output folder.

After running inventory.exe on each computer and directing all the log files to the same folder on the network, you run convert.exe once. Convert.exe collects all the log files and produces a consolidated report, which you can then use to asses the patch status of Office on your network.

How do you get the inventory tool to run on all computers on your network without logging on to each system and manually running the tool? Your options depend on the size of your network and how cooperative your users are. If you can depend on your users to cooperate, you can simply email everyone a link to the inventory tool. But for most networks, you'll want to automate the inventory process.

Obtaining an Inventory
To automate the Office Update Inventory Tool, you can include it in a startup or logon script that you configure through Group Policy. (To configure a startup or logon script, open any Group Policy Object—GPO—and navigate to Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) or User Configuration\Windows Settings\Scripts (Logon/Logoff), respectively.) Alternatively, you can create a scheduled task. All three options have advantages. I like startup scripts because they run under the authority of the local system, so there's no question about whether the inventory program will be able to complete. However, startup scripts execute only when the computer reboots, and most servers—and even many workstations—don't reboot regularly.

Logon scripts run each time the user logs on, but they run under the authority of the current user, who might not have the authority to run the inventory tool depending on how you configure security on workstations. Additionally, most servers can go for long periods without someone logging on at the console, which could delay scanning for or deploying important security patches.

I prefer the scheduled task approach because you can control when the task is executed and specify an account that has sufficient authority to install software. The Schtasks utility lets you create a scheduled task on remote systems from the command line. However, Schtasks isn't available under Windows 2000—if you run Win2K, you'll need to use the At command instead.

Step 1: Install the Office Update Inventory Tool
First, you need to download and install the Office Update Inventory Tool.

  1. Create a shared folder to hold the inventory tool. I'll call the folder \\mtg1\oinventory.
  2. Download invcm.exe and invcif.exe, the two self-extracting executables that make up the inventory tool, from
  3. Run invcm.exe. When prompted, specify \\mtg1\oinventory as the location for extracting the files. After running invcm.exe, you'll find the inventory tool's executables (convert.exe, inventory.exe, and oudetect.dll) in \\mtg1\oinventory.
  4. Run invcif.exe and direct it to extract its files to \\mtg1\oinventory. In oinventory, you'll see a new subfolder called cifs and a few new files, which constitute the database of all available Office updates. Whenever Microsoft releases an update for Office, the company also releases a new version of invcif.exe. Note that the database doesn't include the actual updates—it just contains identity information that lets the inventory tool detect whether an update has been installed on the computer that's being scanned.
  5. Create a subfolder in \\mtg1\oinventory called invout. We'll direct the inventory tool to use this folder for outputting its log files.

Step 2: Scan Your Domain
To scan a single computer, you can now simply log on to the computer and run the following command from the Run dialog box or a command-shell window:

  /s \\mtg1\oinventory\cifs  /o \\mtg1\oinventory\invout

You must type this command—and others provided in this article—all on one line.

To schedule a scan of a computer, you'd use the Schtasks command. For example, to schedule \\wkstn11 to run the inventory tool once at midnight on April 3, 2005, under the authority of an account named batchwork whose password is ksdkui#, you'd enter

schtasks /create
  /tn "Office Update Scan" 
  /s \\mtg1\oinventory\cifs  /o \mtg1\oinventory\invout"
  /sc once /st 00:00:00
  /sd 04/03/2005 /s wkstn11
  /u batchwork /p "ksdkui#"

Schtasks can create a task on only one computer at a time, but you can use the For command to call Schtasks once for each computer in your domain. Here's how.

  1. First you need a file that lists all the computers in your domain. GetListOfComputers.vbs, which Listing 1 shows, outputs the name of each computer in your domain. To download GetListOfComputers.vbs, go to, enter 46623 in the InstantDoc ID text box, and click the link.
  2. Run the command
    cscript GetListOfComputers.vbs
      //nologo > computers.txt
    to produce a file called computers.txt that contains the name of every computer in your domain.
  3. Now, use the For command to read the list and call Schtasks for each computer. The command
    for /f  %x in (computers.txt)
      do schtasks /create
      /tn "Office inventory" 
    /tr "\\mtg1\oinventory\inventory.exe
      /s \\mtg1\oinventory\cifs  /o \\mtg1\oinventory\invout"
      /sc once /st 00:00:00
      /sd 08/03/2005 /s %x
      /u batchwork /p "ksdkui#"
    calls Schtasks once (/sc once) at midnight (/st 00:00:00) on August 3, 2005 (/sd 08/03/2005), for each computer listed in computers.txt. The /s switch specifies the computer on which Schtasks is called, and %x is the current computer name from the computers.txt file. The command runs under the user profile batchwork (/u batchwork) and uses the password ksdkui# (/p "ksdkui#").

For Win2K, you need to use the At command instead, as I mentioned earlier:

for /f  %x in (computers.txt)
  do at \\%x 00:00 
  /s \\mtg1\oinventory\cifs  /o \\mtg1\oinventory\invout"

Step 3: Consolidate the Log Files
Run convert.exe manually to consolidate all the individual log files into one .xml file that you can analyze within Microsoft Excel. The command

  /d \\mtg1\oinventory\invout
  /o \\mtg1\oinventory\results.xml
  /xml \\mtg1\oinventory\patchdata.xml

consolidates the log files into a file named results.xml.

Step 4: Determine Which Updates Need to Be Installed
After convert.exe is finished, open results.xml in Excel. For each computer, convert.exe reports every applicable Office update that isn't already installed as well as each update that's been installed or has expired.

We're interested only in unexpired updates that haven't been installed. Click the EXPIRED6 column heading and select False. This filter immediately shortens the list to show just the updates that need to be installed for each computer.

Hide all columns except NAME, NAME3, PATCHID4, URL5, EXPIRED6, and BASELINEREQUIRED. Now, as Figure 1 shows, you have a workable list of the Office updates that are missing on your network. The NAME column specifies the computer name. NAME3 and PATCHID4 are the friendly and short names, respectively, of the update that the computer lacks. The BASELINEREQUIRED column specifies the prerequisite update, if any, that must be installed before you install the update in question. This column is informational only; WSUS makes sure that updates are applied in the correct order. (If you can't use WSUS to deploy updates, you can use OHotFix; see the sidebar "Using OHotFix When WSUS Isn't an Option" for instructions.) Sort on the PATCHID4 column to see a list of the updates that you need to install.

Using Schtasks is a good way to create a recurring task that runs the inventory tool regularly—every day and at system start-up, for example. Another benefit of executing inventory.exe regularly is that you can run convert.exe at any time and get a good picture of the status of Office updates on your network.

When you add new systems, be sure you create the scheduled task on those systems so that you don't begin to accumulate computers that never update Office. If the scheduled task doesn't run correctly, use the Task Scheduler log file (%systemroot%\SchedLgU.txt) to help diagnose the problem. The most common problems are a bad username or password or an account that lacks the Log on as a batch job right (SeBatchLogonRight) or that doesn't have sufficient permissions (e.g., Power User, Administrator) to install updates.

Finally, make sure you keep the inventory up-to-date so that the scheduled task looks for all applicable updates. To update the inventory manually at any time, simply run

  /update \\mtg1\oinventory

The /update switch causes inventory.exe to download the latest version of invcif.exe.

Take Charge of Updates
Most computers also house common third-party applications (e.g., WinZip, Adobe Systems products) that you need to keep patched. If a software vendor offers updates for its products in .msi format, chances are you can automatically deploy those updates through Group Policy's Software Installation feature. But the only tools that can help you deploy patches that aren't available in .msi format are Microsoft Systems Management Server (SMS) or Independent Software Vendor (ISV) patch management products such as those from St. Bernard Software or Shavlik Technologies.

The Office Update Inventory Tool can help you get a handle on Office security holes on your network if you're willing to do a bit of simple scripting. Running before- and after-update inventory reports lets you show management your progress and verify that your scheduled tasks have successfully updated Office throughout your network.

Using OHotFix
When WSUS Isn't an Option

If you can't use Windows Server Update Services (WSUS) to update your systems, perhaps because of unavailable server capacity or some other reason, you can use Microsoft's free OHotFix tool to deploy Office updates automatically. You can use OHotFix independently of the Office Update Inventory Tool. You place OHotFix in a shared folder on your network. To the same folder, you download Office updates for any combination of Office applications and versions. Then, when you execute OHotFix, it scans the local computer and installs all the updates you placed in its folder that are applicable to the local computer. Here's how to set up OHotFix.

  1. Create a shared folder on your network. We'll call the folder \\mtg1\ohotfix. Make sure that the Domain Computers group has Read and Execute access to the folder.
  2. Download offinst.exe, the OHotFix installation, from office/orkarchive/XPddl.htm.
  3. Run offinst.exe. When it asks you for a folder, point it to \\mtg1\ohotfix. Offinst.exe installs the three files that make up OHotFix (ohotfix.exe, ohotfixr.dll, and ohotfix.ini) to that folder.
  4. Download appropriate Office updates, which initially come in the form of .exe files. You can access the update libraries for Office 2003, Office XP, and Office 2000 from the Office Admin Update Center ( To download an update that you want to install with OHotFix, run the update from the command line with the parameters /c /t:target folder. (If you run the update without the parameters, it will assume you want to update only the local system.) For example, to download the March 8, 2005, update for the Outlook 2003 Junk Email Filter (office2003-kb892236-fullfile-enu.exe), open a command-shell window and type
        /c /t:\\mtg1\ohotfix
    This command extracts the actual update for the Junk Email Filter (outlfltr.msp) to the \\mtg1\ohotfix folder.
  5. After extracting the .msp files from all the Office updates you need to install, execute OHotFix from the target computer. The program will install from the shared folder only the .msp files that are applicable to the local computer. You could use the For command, the Schtasks utility, and the computers.txt file as I explain in "Scan Your Network for Missing Office Updates" to create a scheduled task on each computer that needs to install the latest Office updates.

Unless you have hundreds of computers, I wouldn't worry about them all accessing the OHotFix folder at the same time; the Windows server will serve the OHotFix-related files to all your computers out of cache. Of course, some computers might be down when their scheduled task is supposed to run or at the time OHotFix is scheduled to kick off. If you run the Office Updates Inventory Tool, you'll be able to identify such computers because they'll be missing Office updates.

Project Snapshot: How to
PROBLEM: Scan your entire network for updates that Microsoft Office needs.
WHAT YOU NEED: Windows Server 2003, Windows XP, or Win2K; Microsoft Office 2003, Office XP, or Office 2000 SR-1a or later; Microsoft Internet Explorer (IE) 5.0 or later.
DIFFICULTY: 2 out of 5
  1. Install the Office Update Inventory Tool.
  2. Scan your domain.
  3. Consolidate the log files.
  4. Determine which updates need to be installed.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.