Home > Articles > Security > Software Security

This chapter is from the book

Determining the Status of Service Packs and Security Updates

Two Microsoft tools are available to help determine the status of the service packs and security updates on Windows computers: Microsoft Baseline Security Analyzer (MBSA) and hfnetchk.


MBSA is a GUI tool that can report the status of several security settings and uses a version of the command-line tool hfnetchk to determine the patching status of a specific machine or an entire network of machines. Reports can be archived, and notes in the reports explain the missing patches or point to Web-based repositories for further information and download. Used on a single machine, MBSA can serve as a diagnostic tool and can update the system. In the version of the tool that is available at the time of this writing, multiple machine updates directly from the tool are not possible.

MBSA also has a command-line version that you execute by typing mbsacli.exe at the command prompt. Table 3.1 describes the command-line switches that can be used with this command.

Table 3.1 mbsacli.exe Command-line Switches

Switch and Parameters


/c <domainname>\<computername>

Scans the named computer

/i <xxx.xxx.xxx.xxx>

Scans the computer at this IP address

/r <xxx.xxx.xxx.xxx> - <xxx.xxx.xxx.xxx>

-Scans computers at any IP address in this range

/d <domainname>

Scans the domain

/n IIS

-Skips Internet Information Server (IIS) checks

/n OS

Skips operating system checks

/n password

Skips password checks

/n SQL

Skips SQL checks

/n hotfix

Skips hotfix checks

/o %domain% - %computername%(%date%)

Specifies a filename for the output file


Lists errors from the latest scan


Lists all reports available


Lists reports from the latest scan

/lr <reportname>

Displays an overview report

/ld <reportname>

Displays a detailed report


Gets help


Does not display progress


Does not display a list of errors


Does not display a list of reports


Does not display anything


Redirects output to a file


An update of the MBSA tool has been released; however, Exam 70-214, "Implementing and Administering Security in a Windows 2000 Network," was written before this release, so this book comments only on the original tool. You should download the current edition of the tool and explore it, but remember that the exam questions were created before the tool was upgraded.

MBSA can be freely downloaded from Microsoft's site. The following sections discuss the requirements for running MBSA, how MBSA works, and how to use the reports that it provides.

MBSA Requirements

In order for MBSA to run, it must be installed on a Windows 2000 or Windows XP computer. It can, however, scan Windows NT 4.0 Service Pack 4 and above, Windows XP, and Windows 2000 computers. (Only local scans can be executed against a Windows XP Home Edition computer or a Windows XP Professional Edition computer using simple file sharing.) In addition, MBSA scans for problems with SQL Server, Microsoft Office, Windows Media Player, Exchange Server 5.5 and 2000, Internet Explorer (5.01 or later), and IIS (4.0 or later) if these applications are present.

The following are additional requirements for running MBSA:

  • Internet Explorer 5.01 or greater must be installed, or you must have the XML parser.

  • An XML parser (such as MSXML version 3.0, Service Pack 2) is needed. If a system is not running Internet Explorer 5.01 or greater, you need to download and install an XML parser. You can do this during setup.

  • IIS common files are needed on the computer on which the tool is installed, if MBSA will be used to scan IIS computers.

In order to use MBSA to scan a computer, the computer must meet the following requirements:

  • Internet Explorer 5.01 or greater must be installed.

  • The user doing the scanning must have administrative privileges on each computer being scanned, whether the scan is local or remote.

  • The server service must be running and Remote Registry Service must be running on Windows 2000 and Windows XP computers.

How MBSA Works

MBSA scans computers for common security misconfiguration problems and hotfix installations. It then reports the results. MBSA uses a custom version of hfnetchk for its hotfix analysis and downloads a current copy of the mssecure.xml file from Microsoft when it is run.

The following parts of the MBSA scan are optional and can be turned off in the interface prior to the scan:

  • Windows operation system checks

  • IIS checks

  • SQL checks

  • Hotfix checks

  • Password checks

Figure 3.1 displays the MBSA options and shows how a computer can be selected for a scan.

Figure 3.1Figure 3.1 MBSA options.

Scan reports are stored on the computer on which the tool is installed, in the %userprofile%\Security Scans folder. Each computer scanned produces its own report.

During the scan, vulnerability tests and security status checks are made (the items marked with asterisks (*) are critical checks):

  • Tests for weak passwords by attempting to log on with a blank password, password, PASSWORD, the username, and the administrator name. This check notifies you of any locked out or disabled accounts.*

  • Checks for missing service packs or hotfixes.*

  • Checks for the number of members in the local Administrators group. If more than two are identified, this fact is listed.*

  • Checks to see that all volumes use NT File System (NTFS).*

  • Checks to see if autologon is enabled.*

  • Tells you whether the guest account is disabled.*

  • Checks the setting on restrict anonymous.*

  • Checks to see if auditing is enabled.

  • Checks the services.txt file (part of the MBSA program) and advises whether these potentially unnecessary services are running.

  • Lists the shares available on the computer. It indicates that these shares exist even if file sharing has been disabled.

  • Lists the Windows version.

  • Checks Internet Explorer security zones and alerts to see if they differ from the defaults. (MBSA will note if your settings are different, even if your settings may be more secure.)

  • Checks PowerPoint, Excel, Word, and Access for macros protection.

  • Checks the version of Windows 2000 Server.

  • Provides an overall security assessment in the form of a risk factor, such as Severe Risk or Low Risk.

MBSA Reports

MBSA reports are used for several things, including the following:

  • The overall rating may be used to identify systems that benefit most from security configuration. The higher the overall risk reported, the more work that needs to be done to secure them. You should use caution. You need to weigh the risk factor reported against the role of the computer. In most circumstances, a critical server should be dealt with before a user's desktop, even if MBSA gives the desktop a higher risk factor.

  • Each vulnerability assessment can be explored for information on what was scanned, what the results were, and what to do to correct the problems that might show up in the reports. Often, explanations and pointers to further reading allow exploration of the topic. For a small business or for a user with a single desktop system, this might be the only exposure to security issues; therefore, the explanation and steps to improve security are valuable.

  • Notification of missing hotfixes is a good indicator of the hotfixes that need to be downloaded and installed. The tool does not provide a way to automate hotfix application updates to multiple systems or to easily apply multiple hotfixes. However, you can use it to download and install one hotfix at a time. The tool identifies each missing hotfix and provides a link to the security bulletin and download path.

  • Because scans can be run remotely and reports can be stored at a central location (they are stored on the computer the scan is run from), they can provide a picture of security across a domain or network without requiring a visit to each individual machine. This audit does not need to occur at the same time that the scan is run.

  • If old reports are kept, improvement over time can be noted, although there is no automated way to compare report results.

Figure 3.2 displays a portion of a report that indicates the major security checks and the options available for discovering what was scanned and what to do about the results. In this example, the system failed one or more of the critical security checks, resulting in a rating of Severe Risk.

Figure 3.2Figure 3.2 An MBSA Severe Risk report.


The Microsoft Network Security Hotfix Checker, hfnetchk, is a command-line utility that can be used to determine the patch status of a Windows computer. It can be used to examine Windows XP, Windows 2000, Windows NT 4.0, Microsoft SQL Server, and IIS 4.0 and 5.0. It does not display hotfix information for Exchange Server or other Microsoft products. The requirements for running hfnetchk are the same as those for running MBSA.


hfnetchk was developed by Shavlik Technologies LLC (http://www.shavlik.com), which also produces a GUI version and an advanced command-line version of the tool. Documentation on the Shavlik site can help you understand how to use hfnetchk.

How hfnetchk Works

hfnetchk uses a combination of approaches to determine whether a security hotfix has been applied. It searches registry keys, checks file versions, and compares file checksums. If the information is missing or incorrect, hfnetchk reports the fix as not being installed. If there is a mismatch (for example, a registry key exists, a file checksum is incorrect), hfnetchk says that the hotfix is not installed and perhaps gives a warning status. In some cases, hfnetchk cannot determine whether a fix has been applied. The information may not be accessible, the fix may be a configuration, or there may be some other action that the tool cannot reliably check. These items are reported as note messages. In this case, a note explains the issue or points to a solution, which in most cases allows the administrator to determine patch status.

When you run hfnetchk, the tool automatically downloads the mssecure.xml file from Microsoft. This file is kept up-to-date and indicates the current hotfix requirements. The date on this file is displayed when you run hfnetchk.

You can run hfnetchk on isolated computer systems (those not connected to the Internet) or on systems that you do not want to access the Internet for this purpose by downloading a copy of the mssecure.xml file to another computer, placing a copy on the isolated computer, and using the –x switch. When hfnetchk is run using the –x switch, it does not attempt to access the file on Microsoft's site; it instead uses the local copy of mssecure.xml.

By default, hfnetchk requires access to the Internet in order to access information on the most recent updates. However, a copy of the update file can be downloaded from Microsoft from a computer that you use to access the Internet and then used on computers that do not have Internet access. The mssecure.xml file can reside on the local computer system, a network share, or an intranet Web site.

To use a local network share, you use this command:

hfnetchk –v –z –x s:\security\mssecure.xml

In this command, s:\security\mssecure.xml is the local path to the file.

To use an intranet site, you use this command line:

hfnetchk –v –z –x http://mysite.abc/mssecure.xml

In this command,

is the URL where you have stored the mssecure.xml file.

Many other switches are available, as listed in Table 3.2.

Table 3.2 hfnetchk Switches




Views the specific reason the patch is considered not found


Disables registry checks


Reads a list of computer names and performs a scan against multiple computers


Uses a list of IP addresses instead of computer names


Supplies a username for remote computers


Supplies a password


Seeks the mssecure.xml file locally

-s 1

Stops note messages from being displayed

-s 2

Stops warning messages from being displayed


Redirects the hfnetchk output to a file

The following command line, for example, uses a local copy of mssecure.xml and puts the output in tab-delimited form in the scan.txt file. It also disables registry checks and lists the specific reason for the failed check:

hfnetchk –v –z –x mssecure.xml –f scan.txt -otab 


You can download the signed mssecure.xml file from http://download.Microsoft.com/download/xml/security/1.0/nt5/en-us/mssecure.cab.

Or you can get the uncompressed form of the file from http://www.microsoft.com/technet/security/search/mssecure.xml.

A digitally signed, compressed .cab file is not decompressed by hfnetchk unless it is signed by Microsoft.

hfnetchk Requirements and Common Usage Mistakes

When hfnetchk was first released, a large number of problems were reported. Fortunately, most of them could be traced to two factors: Administrators were not accustomed to command-line tools, and administrators did not read the documentation. Using and troubleshooting hfnetchk is very simple if you understand these issues. First, the administrator must understand that clicking the executable in the GUI does not run the program. The administrator must use the command line and add switches and the appropriate values. Second, if the administrator reads the documentation, he or she will find that several requirements must be fulfilled. Understanding these requirements and making sure they are met will prevent most common problems from occurring. Finally, reading the report and the documentation it lists for further guidance will answer many common questions. Table 3.3 lists hfnetchk requirements and common problems as well as their resolution or where to find additional information.

Table 3.3 hfnetchk Problems and Requirements

Problem or Requirement

Notes or Resolution

hfnetchk might not run.

hfnetchk does not require Administrative privileges to run the command locally. However, use of the command on remote computers requires administrative privileges on each remote computer.

After you run hfnetchk, two entries on the report may include the same bulletin.

Bulletins can identify two or more patches to be installed. hfnetchk treats each patch separately and lists the relevant bulletin more than once if more than one bulletin-related patch is missing.

When hfnetchk is run against a pristine installation of Windows 2000 (with no service pack), many patches listed on Microsoft's Web site are not listed as missing.

A service pack must be installed before post–service pack patches are listed as not found..

If hotfixes are superceded by newer fixes, and the newer fix is installed, the old hotfixes do not show up as missing.

You can use the –history 2 switch to display all hotfixes, even those that have been superceded.

hfnetchk may run locally, but it fails to scan a remote computer.

To scan a remote computer, hfnetchk must have NetBIOS access to the server service. On computers running Windows 2000 and later, NetBIOS access to Remote Registry Service is also necessary.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020