Tuesday, 22 June 2010

Scan machines for windows patches using WMIC

Last week I had a requirement to check if a list of servers had the last months windows patches installed. There are tools out that let you do just this, however I could not find a free one.

A quick script using wmic quickly gave me what I required.

For /F %i in (Server.txt) do @echo %i >>Output_june.txt && (for /F %j in (patches.txt) do @wmic /node:%i qfe where HotFixID="KB%j" get InstalledBy, Description 2>nul | find "Win" >> Output_june.txt)

There are two "for" loops -
Loop 1 goes through the list of servers in a file named "Servers.txt".
Loop 2 goes through the list of KB numbers of the patches you are interested in that are stored in a file named "patches.txt".

The output is written to a file named Output_june.txt. This is a crude script and it should be modified to log error messages which it ignores right now "2>nul". It also is not a replacement for auditing tools since it does not know if a particular server requires a patch or not. It just checks if the patch is installed and if it is, it will give you the usename of the person who installed it and the Patch description as seen by wmic.

Hope this helps someone who may have a similar requirement.