13 Replies Latest reply on Sep 10, 2013 12:51 PM by Chetan Lal Gupta

    Understanding Shavlik-Patching process

    Steffen Kreis



      as we encounter several issue when patching Windwos Servers using BL 8.1 we would like to get a clear understanding of the technical implementation of the Shavlik Technology.


      We already understand the usage of blpatchcheck2.exe within the process and the parameters for Patch-Types, as well as the usage of the xml-file.


      Looking at the sbin directory of the agent on a windows server, there is also the "original" shavlik hfcli.exe, but using Process-Monitor i cannot see that file beeing used in a blpatchcheck2 run.


      Does anybody have additional background, as we cannout believe the 76 KB large blpatchcheck2.exe is doing all the work.



        • 1. Understanding Shavlik-Patching process
          Lazar NameToUpdate

          BLPatchCheck2 uses stPatchAssessment.dll to run the analysis against the hfnetchk6b.xml and generates results.xml


          Hfcli is not used.


          Hfcli = Shavlik wrapper around stpatchAssessment.dll

          BlPatchCheck2 = BladeLogic wrapper around stPatchAssessment.dll


          For more information and some troubelshooting tips, review my webinar on Windows Patching Troubleshooting in: ftp.bmc.com/pub/BLL1Training

          I developed it targetting most common pain areas.



          • 2. Understanding Shavlik-Patching process
            Steffen Kreis



            many thanks for your feedback and the very helpful material.

            We are just reviewing it now.


            Also the other product areas that are covered are very much appreciated !!


            From the directory structure, i can see, that "Number 7" seems to be missing.

            Would you be able to provide that material as well, in case if it covers another area of BBSA / BDSSA ?




            • 3. Understanding Shavlik-Patching process
              Lazar NameToUpdate

              Number 7 was supposed to be a Compliance Troubleshooting Guide that I never had time to finish .

              It's still in the works along with more troubleshooting guides such as Deploy Job Troubelshooting. This is just the first batch of webinars that we released.



              • 4. Re: Understanding Shavlik-Patching process
                Steffen Kreis



                maybe you also can help with the current issue that we are facing when patching a Windows Server 2008 R2 SP1.


                Following given facts:

                BLAppserver               8.1 SP2 on W2k3x64

                RSCDagent on target   8.1 SP2 P4


                Offline-Patch-Catalogin BL containing the following filters all with language set to"English":

                                <product-category>Microsoft WindowsServer 2008</product-category>



                               <product-category>Internet Explorer</product-category>




                The catalog was again updated this morning. hfnetchk6b.cml and pd5.xml are at the latest version.

                The catalog uses "Agent Mounts Source For Direct Use At Deployment" and uses properties to identity the correct Network URL for Payload Deployment.



                The according Patch-Analysis Job is set with the following options:

                            - Group option ticket

                                        - Include SecurityPatches

                                        - Include Security Tools

                                        - Include Non-SecurityPatches

                                        - Exclude Service Packs


                            - Create Remediation artifacts

                            - Deploy job options are set toignore item defined reboot settings (As we boot at the end of the PPBJ)



                This Patch-Analysis/catalog combination identifies 52 missing patches (Please seeExported analysis result attached).



                When deploying this generated Remediation-Job the overall Status of the Job is failed due to a single Patch beeing "not appicable".

                As each entry in the generated Remediation-Blpackage is set to"Continue" for "Action on Failure" all other patches are installed successfully.


                Following investigations have already been done:

                The patch exiting with a "Non-Zero" exit code is the patch for MS11-A04 which gets installed in position 29.

                The Exit code produced by that Patch is -2145124329. Which seems to match to "Not applicable" according to infos on the web.


                To further track this down the following steps have already been done:


                1.) After the Patch-Job finished with status "failed" we tried to install MS11-A04 manually, which is "Windows6.1-2008-R2-SP1-KB2533623-x64.msu-MS11-A04-en-WINDOWSSERVER 2008 R2 ENTERPRISE (X64)-SP1" in the depot.

                This also gives us the following error: "The update is not applicable to your computer"


                2.) We canceled the PPBJ directly before the patching-job started and the tried to install the described Patch manually. This time the installation finished successfully without any problem.



                Due to this we believe that the patch for MS11-A04 is conflicting with one of the 28 Patches that gets installed just before that, it seems that one of these patches make it obsolete.

                We now wonder where the problem lies:

                            - Should Shavlik not include MS11-A04 in it's analysis as it seems to be conflicting with one patch in between ?

                            - Should the BL deploy job ignore the "not applicable"error-code ?




                When the Deloy job finished with status"failed" it has basically deployed 51 patches.

                When we then reboot the server and run a patch-analysis with the same options as before, no patch is shown as missing, although MS11-A04 has not been deployed, but was marked as missing in the first run.




                What we did in a next step was to execute the follwoing on the server:


                blpatchchk2.exe 0 -pt 4 -s [hfnetcheck.xml] [results.xml]

                According to Shavliks hfcli-Dcoumentation this will scan for "Security Tools" which is the category that MS11-A04 belongs to.


                In the generated results.xml MS11-A04 is showing up as"EffectivlyInstalled".

                Therefore it seems obvious to me, that the Patch is superceeded/included/conflicting with another patch that was included in thePatch-Analysis-Deployment.

                • 5. Re: Understanding Shavlik-Patching process
                  Jim Wilson

                  Hmm - that issue should be resolved (QM001708015 addressed in 8.1SP2)

                  You should open a support issue.


                  There is a workaround, to prevents the job from failing:


                  On the console, click Configuration on the menu bar and select Patch Global Configuration
                  Select the Windows tab
                  In the "Patch deploy success return codes" edit box, enter -2145124329
                  Click the save icon

                  Test the patching job - the -2145124329 will still occur, but the patching job should be marked as successful




                  • 6. Re: Understanding Shavlik-Patching process
                    Steffen Kreis

                    Hi Jim,


                    Thx for your feedback, the support issue has been already opened.


                    I just looked at the generated "Auto-Remediation"Package again and realized, that the patches-categories seem to be deployed in several blocks, that are related to the tick-boxes on the analysis-job.


                    The first blocks are the security Hotfixes, the secondary the Security Tools, followed by the "Other Updates " Block.


                    Is that the intended behaviour ?


                    We still think that MS11-A04 is somehow superceeded/conflicting by one of the Security Hotfixes deployed in the first block.









                    • 7. Re: Understanding Shavlik-Patching process
                      Jim Wilson

                      Yes, the return code is caused by trying to apply a non-applicable patch.


                      This was the problem scenario reported in the problem tracking record:


                      1.If Patch A is superceded by patch B and is on a target A and missing on target B, it shows both patches missing in the analysis result

                      2.During deploy, if it deploys patch B first and then tries to deploy patch A , it will no deploy since patch B is the newest


                      Historically, this has not caused any problem, but recent changes to the Microsoft code now produce this new return code.


                      As I understand it, the fix supplied by QM001708015 should correct the order of deploy (Patch A will get deployed first and then patch B)


                      The workaround supplied will prevent the return code from causing the patch job to fail.

                      • 8. Understanding Shavlik-Patching process
                        Steffen Kreis



                        as we are running on BL 8.1 SP2 i'm afraid this is not fixed completely.



                        • 9. Understanding Shavlik-Patching process
                          John Landells

                          Hey Lazar,


                          Your Training Guides are great!


                          Did you ever produce the Compliance section or any others, please?


                          Many thanks,


                          • 10. Understanding Shavlik-Patching process
                            Lazar NameToUpdate

                            Thanks John,


                            Lately we've been mainly focusing on cleaning up and releasing the Knowledge Base articles which were in our backlog. We made some great progress there, so this should allow us to dedicate more time to webinars. I hope to get this done sooner than later.



                            • 11. Understanding Shavlik-Patching process

                              Hi Lazar,


                              These guides are superb for the forum users , good to see this post of yours.





                              • 12. Re: Understanding Shavlik-Patching process
                                Domenico Trovato

                                Hi Lazar, sorry if I'm a little bit out of topic...you wrote:

                                "For more information and some troubelshooting tips, review my webinar on Windows Patching Troubleshooting in: ftp.bmc.com/pub/BLL1Training "


                                At that link, number 7 is missing.

                                • 13. Re: Understanding Shavlik-Patching process



                                  These guides are with me since a long but i never noticed that 7 is missing


                                  Though i think it covers all.