14 Replies Latest reply on Aug 24, 2005 3:14 AM by Robin Spinks

    Auto Download Windows Patches

      My client wants to automatically download any patches that are highlighted by patch analysis.


      I've done this for Solaris, but I can't see a way to do it for Windows.

        • 1. Re: Auto Download Windows Patches

          Hi Rob,


          I think the best solution to your problem (in my opinion) would be to script an automatic download of all patches from the MS site and shuv them straight into the depot. This is the process currently in use on our contract.


          Is this suitable?




          • 2. Re: Auto Download Windows Patches

            I'm currently at Capgemini trying to reconfigure the perl script to download, expand and parse the cab files from shavlik.


            The download & parse runs fine, but the cab files don't appear to contain xml files.


            If you browse into them in windows they appear to be xml files, but if you extract them & open them in notepad, they are not text.


            Any ideas out there?

            • 3. Re: Auto Download Windows Patches

              I believe Shavlik encrypts their contents. At least, that's what it says on their web site.



              • 4. Re: Auto Download Windows Patches

                Ah, yes. That would explain it.


                Any ideas on how to decrypt them?


                Will it be at all possible to parse them with a perl script, considering the shavlik faq states that they cannot be read by an xml parser?

                • 5. Re: Auto Download Windows Patches

                  Shavlik actually provide an mssecure.cab at http://xml.shavlik.com/mssecure.cab which can be parsed in the same way as mssecure.cab from microsoft to download patches.


                  The trouble with this is I am uncertain how accurate this file is since it is not what we use in patch analysis jobs.


                  Can anybody confirm that mssecure.cab contains the same information, and is as up to date, as HFNetChk.cab and PD4.cab?

                  • 6. Re: Auto Download Windows Patches


                    if it is up to date, I imagine it is the same as the one published by MS upon which they are basing HFNetChk. Don't quote me on that though. In any event, HFNetChk is going to have the superior information that will encompass more MS products and handle roll-ups, service packs, etc.


                    I believe that HFNetChk.cab is unencrypted and parsed by the shavlik dlls that are installed on the target machines as part of the agent install. We do not have the ability to decrypt them ourselves and I don't think our agreement with them would allow that anyway.


                    You may be best off to find out how we are interfacing with the shavlik components to get the download information and use that. I think that info would be in the PD4.cab, but am not sure.

                    • 7. Re: Auto Download Windows Patches

                      This from BladeLogic Engineering:


                      Shavlik keeps these URLs for people using their old version of the product. For example they have mssecure.cab, HFnetChk.cab and HFnetChk5.cab files. Our 6.3 release only works with HFNetChk.cab and 6.3.2 is going to be working with HFNetChk5.cab. It is not possible to specify different XML files for their API.


                      Mssecure.cab and HFNetChk.cab are equivalent files with patch information. These two files do not contain download information for all languages. PD4.cab and PD5.cab XML files contain download URLs. Even if it is possible to use mssecure.cab, you will not get right download URLs from Microsoft.

                      • 8. Re: Auto Download Windows Patches

                        So, it looks like parsing mssecure.cab is not a suitable method of downloading patches.


                        Does anybody have any idea how it can be done?


                        Since we cannot decrypt the other files outside the agent, is there a way of configuring patch analysis jobs to download the patches?


                        Are there any blcli commands that can be used or written?

                        • 9. Re: Auto Download Windows Patches

                          Why not let BladeLogic parse the cab file? The product already does this somehow, so this must be scriptable. We may be able to figure out a way to do this via the BLCLI especially, as much as you may hate it, Robin, via Jython. :)

                          • 10. Re: Auto Download Windows Patches

                            I don't hate Jython! Who gave you that idea? Maybe you're getting me mixed up with Mark! :P


                            We're not going to be able to figure out a way of parsing the cab files unless we can work out how to decrypt them and we shouldn't do that anyway.


                            Once I get the jdbc drivers working on fedora core 4 I'm going to work out how to use jython to speed up all my nsh scripts.

                            • 11. Re: Auto Download Windows Patches

                              I don't think we should directly 'decrypt' the .cab file. I think we should access the download locations via jython. Let's discuss offline.

                              • 12. Re: Auto Download Windows Patches

                                Let's just completely get the "decrypting" of the .cab file off the table. Shavlik fiercely defends their IP and they consider their .cab files very high on the list of IP. Given that we're partnering with them on Patch Analysis now we can't even think about contemplating hacking these.

                                • 13. Re: Auto Download Windows Patches
                                  Mark Jeffery



                                  This is a bit of a storm in a teacup.


                                  At Capgemini, we already have downloading working with a perl script. The only problem is that it uses Microsoft's mssecure.xml which may not be quite as up to date as the file from shavlik.


                                  V6.3 changes none of this.


                                  If there is a priority to download a file, then it can be downloaded manually. If not, then it will probably have already been downloaded automatically with the magic perl script.


                                  Whether it is written in Perl or Jython, it doesn't matter too much. (honest!!)



                                  • 14. Re: Auto Download Windows Patches

                                    While I was there I reconfigured Marks perl script to download & unpack HFNetChk.cab and PD4.cab from Shavlik.


                                    Copying them to a location on the appserver won't be a problem.


                                    The question is: How do we automate downloads from the server that has access to the internet? Would it be feasible to install a second AS and configure it to download all the patches listed in Shavliks files?