Windows server 2003 - sp1 - corrupt patches

(imported topic written by bricker)

i had patched my 2003 terminal servers but had not applied sp1. i have since applied sp1 recently and they are returning tons of corrupt patches that need to be run individually. is there any other way to resolve these other then running the individual patches on each server through bigfix? i can do it per patch for multiple machines but it still is extremely time consuming…let me know what you think!!

(imported comment written by jessewk)

Bricker,

If you are using 6.0, you can make a baseline out of the corrupt patches. In the baseline editing dialog you can select the action to run. Then you can take a single action on the baseline and target your recently upgraded machines. This should save you a lot of time.

Try to keep your baseline to < 50 individual Fixlets.

-Jesse

(imported comment written by bricker)

nice. yeah we are at 6.0. i’ll get with someone here who has done baselines and do that. thanks man appreciate it!

(imported comment written by bricker)

jesse - thanks again. i created the baseline with the corrupt patches, however it seems to want to reboot after several and is not qchaining them properly. for example, 2 patches would run and then stick at pending restart…if you reboot the box it shows complete, but is only complete on those 2 fixlets…is there something special you have to do with a baseline that is different?

(imported comment written by jessewk)

bricker,

You are correct. The reason this happens is that each corrupt patch has relevance that includes ‘not pending restart’. This is to prevent the corrupt patches from becoming relevant after the initial patch is applied, but before the machine has been rebooted.

When you put the corrupt patches in a baseline, as soon as running one of the corrupt patches puts the machine in a pending restart state, none of the subsequent patches in the baseline will be relevant.

So, back to the drawing board…

Below is a script you can run in the presentation debugger. It will generate a single action script to install a bunch of corrupt patches. Downloads will be handled conditionally, i.e. they will only be downloaded if the original corrupt patch was relevant, but with the pending restart check removed. You can specify which corrupt patches to include by modifying the part ‘bes (fixlet 604606 of it; fixlet 604502 of it; fixlet 605306 of it)’.

The access the presentation debugger, in the console, press cntrl-alt-shift-D and check the box in the window that comes up to ‘show debug menu’. From the debug menu you can select the presentation debugger.

When you click evaluate in the debugger, make sure you choose the second radio button ‘HTML’

( 
"// " & name of it & 
"<br>" & ( 
" if {(" & preceding text of it & following text of it & 
")}" ) of last 
"and (not pending restart)" of ( relevance of it as lowercase ) & 
"<br><br>" & concatenation 
"<br>" of substrings separated by 
"%0A" of script of action 2 of it & 
"<br>" & 
"<br>endif<br><br>" ) of it whose ( relevance of it as lowercase contains 
"and (not pending restart)" AND number of actions whose ( script of it as lowercase does not start with 
"http://" ) of it = 1 ) of ( fixlet 604606 of it; fixlet 604502 of it; fixlet 605306 of it ) of bes site whose ( name of it = 
"Enterprise Security" )

The above will output code you can paste into the action script of a custom fixlet. The output should look like this:

// MS06-046: CORRUPT PATCH - Windows XP SP1/SP2 

if 
{(((((((name of operating system as lowercase starts with 
"win") and ((language of version block of file 
"kernel32.dll" of system folder contains 
"english") or (exists value of key 
"hklm\system\currentcontrolset\control\nls\muilanguages" of registry))) and (not exists key 
"hklm\software\wow6432node\microsoft\windows\currentversion" whose (exists value 
"productid" of it) of registry and not exists values 
"processor_architecture" whose (it as string as lowercase = 
"ia64") of keys 
"hklm\system\currentcontrolset\control\session manager\environment" of registry)) and ((name of it = 
"winxp" and (it = 
"service pack 1" or it = 
"service pack 2") of csd version of it) of operating system)) and (exists key 
"hklm\software\microsoft\updates\windows xp\sp3\kb922616" of registry)) and ((csd version of operating system = 
"service pack 1" and ((exists file 
"hhctrl.ocx" whose (version of it < 
") of it) of system folder)) or (csd version of operating system = "service pack 2
" and ((exists file "hhctrl.ocx
" whose (version of it < "5.2.3790.2744
") of it) of system folder)))) )}   download http:
//download.microsoft.com/download/3/2/7/327df13f-17e8-4a47-af39-eb12c29f97c5/WindowsXP-KB922616-x86-ENU.exe   

continue 

if 
{(size of it = 824120 AND sha1 of it = 
"cf1ee106a318c1fe135978f94ec0867312cea73b") of file 
"WindowsXP-KB922616-x86-ENU.exe" of folder 
"__Download"
}   wait __Download\WindowsXP-KB922616-x86-ENU.exe /quiet /passive /norestart   run 
"{pathname of client folder of site "BESSupport
" & "\RunQuiet.exe
"}" 
"{pathname of client folder of site "BESSupport
" & "\qchain.exe
"}"   action may require restart   endif   
// MS06-045: CORRUPT PATCH - Windows 2000 SP4 

if 
{(((((((name of operating system as lowercase starts with 
"win") and ((language of version block of file 
"kernel32.dll" of system folder contains 
"english") or (exists value of key 
"hklm\system\currentcontrolset\control\nls\muilanguages" of registry))) and (not exists key 
"hklm\software\wow6432node\microsoft\windows\currentversion" whose (exists value 
"productid" of it) of registry and not exists values 
"processor_architecture" whose (it as string as lowercase = 
"ia64") of keys 
"hklm\system\currentcontrolset\control\session manager\environment" of registry)) and ((name of it = 
"win2000" and csd version of it = 
"service pack 4") of operating system)) and (exists key 
"hklm\software\microsoft\updates\windows 2000\sp5\kb921398" of registry)) and ((exists file 
"shell32.dll" whose (version of it < 
"5.0.3900.7105") of it) of system folder)) )
}   download http:
//download.microsoft.com/download/2/3/6/236323d3-fd81-43a4-a42f-31fe74705c55/Windows2000-KB921398-x86-ENU.EXE   

continue 

if 
{(size of it = 1243112 AND sha1 of it = 
"028f665cbf687260b46b9455e46b8fae1acd6316") of file 
"Windows2000-KB921398-x86-ENU.EXE" of folder 
"__Download"
}   wait __Download\Windows2000-KB921398-x86-ENU.EXE /quiet /passive /norestart   run 
"{pathname of client folder of site "BESSupport
" & "\RunQuiet.exe
"}" 
"{pathname of client folder of site "BESSupport
" & "\qchain.exe
"}"   action may require restart   endif   
// MS06-053: CORRUPT PATCH - Windows XP SP1/SP2 

if 
{(((((((name of operating system as lowercase starts with 
"win") and ((language of version block of file 
"kernel32.dll" of system folder contains 
"english") or (exists value of key 
"hklm\system\currentcontrolset\control\nls\muilanguages" of registry))) and (not exists key 
"hklm\software\wow6432node\microsoft\windows\currentversion" whose (exists value 
"productid" of it) of registry and not exists values 
"processor_architecture" whose (it as string as lowercase = 
"ia64") of keys 
"hklm\system\currentcontrolset\control\session manager\environment" of registry)) and ((name of it = 
"winxp" and (it = 
"service pack 1" or it = 
"service pack 2") of csd version of it) of operating system)) and (exists key 
"hklm\software\microsoft\updates\windows xp\sp3\kb920685" of registry)) and ((csd version of operating system = 
"service pack 1" and ((exists file 
"ciodm.dll" whose (version of it < 
"5.1.2600.1860") of it or exists file 
"query.dll" whose (version of it < 
"5.1.2600.1860") of it) of system folder)) or (csd version of operating system = 
"service pack 2" and ((exists file 
"ciodm.dll" whose (version of it < 
"5.1.2600.2935") of it or exists file 
"query.dll" whose (version of it < 
"5.1.2600.2935") of it) of system folder)))) )
}   download http:
//download.microsoft.com/download/6/3/a/63aa78dc-1fdc-4ae3-adb6-027f5ffd1c12/WindowsXP-KB920685-x86-ENU.exe   

continue 

if 
{(size of it = 1302840 AND sha1 of it = 
"be0e9cea96e2ad48394aebe90d48edcc36ac38d5") of file 
"WindowsXP-KB920685-x86-ENU.exe" of folder 
"__Download"
}   wait __Download\WindowsXP-KB920685-x86-ENU.exe /quiet /passive /norestart   run 
"{pathname of client folder of site "BESSupport
" & "\RunQuiet.exe
"}" 
"{pathname of client folder of site "BESSupport
" & "\qchain.exe
"}"   action may require restart   endif

You’ll also need to generate relevance for the Fixlet. You can paste this code into the presentation debugger to generate the relevance. Remember to make sure the Fixlet ID’s match the Fixlet ID’s you used to generate the action:

concatenation 
" OR " of ( 
"(" & relevance of it & 
")" ) of ( fixlet 604606 of it; fixlet 604502 of it; fixlet 605306 of it ) of bes site whose ( name of it = 
"Enterprise Security" )

I think that will do. All you need to do is take an action on your new custom Fixlet and it should work just like a baseline.

There are 2 corrupt patches this won’t catch: MS04-025 and MS04-040 (Fixlet ID #402502 and Fixlet ID #404004)

Note that I have not tested this, so please do so carefully.

(imported comment written by bricker)

nice. i will give this a try today. gracias