• This topic has 3 replies, 3 voices, and was last updated 4 years, 4 months ago by
  Preenesh Nayanasudhan
  .

• Microsoft Wsusscn2
• Wsusscan
• Wsusscan Cab Download

• Oct 27, 2015  This is a small script for keeping wsusscn2.cab up-to-date. Modify it appropriately for your needs (beware at the paths). One can schedule it as a specific task.
• How to update GFI LanGuard if in a secure network. Article applies to: GFI LanGuard 12 (all builds). All update servers of Third-Party Vendors supported by GFI LanGuard; Perform a manual program update and choose the 'Update. When using this option GFI LanGuard will download every patch for every version of operating system and/or.

Jun 20, 2019  It does not download or install updates. Sole purpose of this script is to find out how long it takes to download the required cabfile, then process it against a live system and return the list of updates available for that system.

• • I'm trying to look and find if there is a way to use powershell to use the wsusscn2.cab file to scan a server for missing patches. I cannot use MBSA to assist in anyway for this.

    Has anyone ran into a similar issue or can point me in the right direction?

  • I think the most you could maybe do is run Get-Hotfix to get a list of what IS installed, and then diff that off the list in the cab file. It'd not going to be a simple task, and it's not like there's a single command that'll do it. It's really all set up to use MBSA, so not being able to use that is almost a deal breaker. It's like trying to drive a car without using the gas pedal ;).

  • You would need to use Windows Update Agent API
    You would want to take a look at https://msdn.microsoft.com/en-us/library/windows/desktop/aa387290%28v=vs.85%29.aspx

    Note you would need to have Powershell v3 on the machine your running the script for it to work.

    Thanks Preenesh !!

• The topic ‘Find missing patches offline with Wsusscn2.cab’ is closed to new replies.

One of the most important things you have to do when you want to keep a Windows system secure is to install security patches and updates periodically. This task is pretty straightforward on a normal environment but becomes a bit more difficult on isolated networks or on systems in which you don’t want to «make a mess» installing software to list missing security patches.

In windows, there are several built-in commands that allow you to list information in detail about security patches and updates installed on the system:

Wmic qfe list brief /format:texttablewsys

Get-Hotfix

Nothing new here…the main problem is that in order to harden the system what we want to get is just the opposite thing: the list of missing security patches. This could be achieved installing MBSA (Microsoft Baseline Security Analyzer), a Microsoft tool that allows you to perform a basic security analysis of your system, including checks for weak passwords, administrative vulnerabilities and missing updates among other stuff.

However this would require the installation of additional software and as we have mentioned before we don’t want to make changes on the system. The solution is to use mbsa as a standalone software. Despite Microsoft forces you to install a full version of the software, msba can work just using three components:

Microsoft Wsusscn2

Wsusscan

1. Mbsacli.exe (the executable itself)
2. wsusscn2.dll
3. wsusscn2.cab (the file containing the offline updates catalog)

The following command will check for installed patches on the system and generate an XML containing the status of each one of them (either installed or not installed) along with other information such as the name, bulletin ID, KBID, url to download the patch, etc.

Wsusscan Cab Download

cmd.exe /c <mbsacli_path> /catalog <wsusscn2_path> /xmlout > c:tempupdates.xml

The good thing is, now that we have an XML file containing all the information related to system patches, it is so easy to write a piece of code to parse the file and list which patches are missing on the system. To do so, I’ve written a simple powershell script (available here) with the following functionalities:

• Check if the wsusscn2.cab catalog is outdated, and if so, give the user the possibility of download the last version (requires internet connection).
• Check for missing patches of the system and list the ID of those patches.
• Download missing patches to a temporal folder (requires internet connection).
• Import results from mbsa execution in isolated environments to download them on an internet connected one.
• Generate a .bat script to automatize missing patches installation

To execute the script the mbsacli.exe, wsusscn2.cab and wsusscn2.dll must be stored in the same folder. If no mbsa or output folder is specified, the script will set both folders to C:temp by default. What we can do now is to generate the xml file on the isolated environment and then move to a computer connected to the internet to get the missing updates and generate the .bat file to install them. I also wanted to perform some signature verification of the downloaded patches but unfortunately Microsoft does not provide a MD5 or SHA1 signature list.

Here are some screenshots of the script in action:

Hope you like it! any contribution to improve the script will be appreciated!