Script to Deploy Patches
Using third-party applications to deploy hotfixes can be expensive. Although Microsoft Software Update Services (SUS) is free, SUS has additional server requirements that might be cost-prohibitive in small organizations. SUS also requires unpatched machines to be on the network, which opens the door for existing worms to wreak havoc.
As an alternative, I wrote the script Patch.bat to automate system patching on Windows 2000. Listing 2 shows a portion of this script. (You can download the entire script from the Windows Scripting Solutions Web site. Go to http://www.windowsitpro.com/
windowsscripting, enter InstantDoc ID 44603 in the InstantDoc ID text box, then click the 44603.zip hotlink.) Patch.bat is especially handy for using removable media to patch newly imaged systems as part of a build process. You can also use Patch.bat with domain logon scripts to deploy hotfixes without relying on manual patching or using Sysinternals' PsExec. Although Patch.bat works only on Win2K, you can download scripts that work on other OSs from my Web site (http://winpatch.homeip.net). If you're unsure of your machine's OS, my Web site also includes a script called OS Detection that can provide the OS information.
Patch.bat requires DirectX 7.0 (installed by default on Win2K), the Microsoft Windows NT Server 4.0 Resource Kit's reg.exe utility (to look for specific hotfix-related registry subkeys), and the UNIX sleep.exe utility. (The resource kit also includes sleep.exe.) If the necessary subkeys don't exist, the script uses a noninteractive mode (i.e., no restart necessary) to apply patches, then uses qchain.exe to chain hotfixes together at the end. The script skips reinstalling hotfixes for hotfix subkeys that already exist. In the script, .\ causes the script to be sensitive to the directory it runs in.
Patch.bat still requires tweaking, such as checking for consistent registry subkeys between patches (although I used the subkeys listed in the Microsoft Security Bulletins). You can easily edit the script's code to suit your environment. You'll also need to revise the script each time Microsoft releases a new patch update. As long as your company has a security policy that ensures remote clients log on to the VPN as soon as they connect to the Internet, you can also use the script to patch remote user systems.