HFNetChk version 3.3 OVERVIEW ============================= The remainder of this document covers: - How to use HFNetChk - Knowledge Base Articles - Interpreting Output and Locating Patches - System and Language Applicability - System Requirements - Determining HFNetChk Version Number - List of Updates and Fixes in version 3.3 - Support, Reporting Bugs or Providing Feedback on HFNetChk HOW TO USE HFNETCHK =================== From a command prompt, type the following: 'hfnetchk' (without the quotes) and press enter To see verbose output (reason why a hotfix was considered NOT found, details about warning messages, and details about note messages) use the following syntax: 'hfnetchk -v -z' To scan a system against baseline security standards, use the following syntax 'hfnetchk -b' To view additional command line syntax options, type the following: 'hfnetchk -?' Knowledge Base Articles ======================= For more information on how to use HFNetChk, please see the following Knowledge Base Article: Q303215 - http://support.microsoft.com/support/kb/articles/q303/2/15.asp Frequently Asked Questions about HFNetChk: Q305385 - http://support.microsoft.com/support/kb/articles/q305/3/85.asp Information about NOTE messages: Q306460 - http://support.microsoft.com/support/kb/articles/q306/4/60.asp (above URLs may have been wrapped) INTERPRETING OUTPUT and LOCATING PATCHES ======================================== If the system being scanned is missing a patch, you will see output similar to the following: Patch NOT Found MS01-013 Q285156 MS01-013 refers to the Microsoft Security Bulletin 01-013. Q285156 refers to Microsoft Knowledge Base article Q285156. To obtain the patch for this issue, please read the Microsoft Security Bulletin and view the section titled "Patch Availability". Microsoft Security Bulletins can be viewed at the following URL: http://www.microsoft.com/technet/security/current.asp Knowledge Base articles may be viewed by entering the Q number into the search field on the following page: http://support.microsoft.com If you believe you have applied the patch, but it still appears as missing, please run hfnetchk with the following syntax: 'hfnetchk -v -z' The resulting output will show you the reason why the patch was considered not installed. Please confirm that you have obtained the latest version of the patch from the Microsoft web site, as patches are occasionally re-released. SYSTEM AND LANGUAGE APPLICABILITY ================================= The 3.3 version of HFNetChk may be run from Windows NT 4.0, Windows 2000, or Windows XP machines. This tool will NOT operate on Windows 95, Windows 98, or Windows Me systems. HFNetChk 3.3 can be used to scan systems of any language*. HFNetChk automatically recognizes non English-language systems and performs registry key and file version tests only (checksum tests are not performed). * HFNetChk is unable to assess Windows NT 4.0-based computers that run Japanese, Chinese Simplified, Chinese Traditional, Korean, or Chinese Hong Kong. SYSTEM REQUIREMENTS =================== - Windows NT 4.0 - Windows 2000 - Windows XP - Internet Explorer 5.0 or greater, or - An XML parser is necessary in order for the tool to function correctly. Systems not running Internet Explorer 5.0 or greater will need to download and install an XML parser in order to run this tool. The Server Service (as well as the Remote Registry service on Windows 2000 and Windows XP) is required to be running on all remote systems being scanned. These services are not required when scanning a local system. (The Server Service is installed when the File and Print Sharing feature is enabled on the system. The Server Service is what allows users to authenticate against and connect to the specified machine. The Server Service may have been disabled on a machine to prevent users from connecting to the system (this is frequently done when securing machines such as a web server). Obtaining an XML parser ----------------------- XML parsers have shipped in each version of Internet Explorer since IE 5.0. If you are running IE 5.0 or greater, you do not need to install a separate parser*. - If you are running an earlier version of Internet Explorer and do not wish to upgrade to IE 5.0 or greater, you may download and install a standalone version of the Microsoft XML parser. MSXML version 4.0 is available from the following location: http://msdn.microsoft.com/downloads/default.asp?url=/downloads/sample.asp?url=/msdn-files/027/001/766/msdncompositedoc.xml (above URL may have been wrapped for readability) Additional information on the Microsoft XML parser is available from http://www.microsoft.com/xml *If you are running IE 5.0 or greater... ------------------------------------- but the tool is still unable to read or locate the XML file, there is a chance that another application may have "unregistered" the XML parser. To "re-register" the XML parser, please type the following at a command prompt: 'regsvr32 msxml.dll' (without the quotes) DETERMINING HFNETCHK VERSION NUMBER =================================== You can determine which version of HFNetChk you are running by viewing the first line of output provided when running the tool: C:\hfnetchk.exe Microsoft Network Security Hotfix Checker, 3.3 UPDATES AND FIXES IN HFNETCHK 3.3 ================================= The following issues have been addressed in the 3.3 release: New Switches: ------------- - (-u) and (-p) to specify username and password for scanning remote systems. - (-f) to write the results to a specified output file. (Note: this will overwrite, not append, data to the specified output file.) - (-fh) to specify the name of a file containing NetBIOS machine names to scan. One machine name per line, 256 max per file. -(fip) to specify the name of a file containing IP addresses to scan. One IP address per line, 256 max per file. Functional Updates: ------------------- - It is now possible to scan the local machine when the Server Service has been disabled (or has not been installed.) - A warning message will be presented if the installed product is not running the latest available Service Pack. - IP addresses may be used when executing a scan from a Windows NT 4 system. (Note: remote system IP addresses must resolve to machine names in order for this feature to work from NT4 systems.) - Code has been added that will automatically check to see whether the downloaded mssecure.cab file has been signed by Microsoft. If the downloaded file (mssecure.cab) has been properly signed by Microsoft, HFNetChk will automatically expand the file and will not prompt the user to accept the signed package. - This version will correctly identify .NET server machines and IIS 6.0 machines. (Patches have not been released for these platforms, nor has the XML file been updated with information on these platforms, but the proper product names will now appear in the output.) - If the tool is unable to access the mssecure.cab file from the Microsoft server, it will next try to download the expanded mssecure.xml file from http://www.microsoft.com/technet/security/search/mssecure.xml. If this also fails, HFNetChk will then search the local system for versions of the CAB and XML files. Output: ------- - To enhance performance, tab output (-o tab) is required when scanning more than 255 hosts. - Both MachineName and IPaddress are displayed in wrap and tab output. Format is: MachineName (IPAddress) In instances where either value cannot be resolved from the other, the known value will be displayed in both locations. Enhancements: ----------- - Fixed bug where domain controllers were identified as workstations instead of servers. As a result, not all available hotfixes would be displayed when scanning domain controllers. - Results include status on all installed products, even when a given product is up to date on patches. - Text alignment has been enhanced for wrap and tab output. - Enhanced error reporting when access is denied to a machine or there is an error in reading the remote system's registry. - Improved -d domain scanning. - Improved support when scanning workgroups (using -d). - Improved memory management when performing large scans. - Improved recognition for SQL Server 2000 Service Packs. Additional features, such as scanning for Exchange or Office patches, are being considered for a future release of HFNetChk and are not included in this release. SUPPORT, REPORTING BUGS OR PROVIDING FEEDBACK ON THIS TOOL ================================================= Support for HFNetChk is available via a public newsgroup. To access the newsgroup, configure your news reader (Internet Explorer - Tools - Mail and News - Read News) to point to news.microsoft.com. View the list of available newsgroups and subscribe to microsoft.public.security.hfnetchk. Usernames and passwords are not required to access this newsgroup. When reporting bugs to this newsgroup, please include the following information: - Operating System and Service Pack version, - Internet Explorer version, - HFNetChk version, - Command line syntax used to execute HFNetChk - Output from hfnetchk -v -z (when possible) =========================================================================== HFNetChk was developed for Microsoft by Shavlik Technologies LLC (http://www.shavlik.com/security). More information about Shavlik, including a GUI version and an advanced command-line version of HFNetChk, is available on the http://www.shavlik.com/nshc.htm web site.