SAXPAR.vbs

This script identifies the security updates missing on any PC running Windows XP / Vista / Windows 7 / Windows Server 2003 / Windows Server 2008 with the output presented in an easy-to-read Unicode text file. No program need be installed. Windows Genuine Advantage (WGA) is not used.

It requires two files to run, MBSACLI.EXE (Microsoft Base Security Analyzer Command Line Interface) and WUSSCAN.DLL, which will be termed the “executables”. These executables cannot be distributed. They can be obtained by installing Microsoft Base Security Analyzer (MBSA) 2.3, available here. After the executables are retrieved from the MBSA main directory, MBSA can be uninstalled. The executables can then travel with the script and must be present in the script’s directory.

• The x86 version of MBSA 2.3 won’t install into an x64 system, but SAXPAR appears to run just fine with x86 executables in an x64 system.
  
  
• If MBSA 2.2 is used, SAXPAR will also run on Windows 2000 and Windows 2000 Server. Microsoft has withdrawn MBSA 2.2 from download.

When SAXPAR is run, the output file name is SAXPAR Results followed by the name of the PC in parentheses, the date in year-month-day format, the time in hour.minute.second format and then the extension .txt. Thus, the file created by the script launched at 15:34:10 (3:34:10 p.m.) on a PC named “Foo” on 09 March 2012 would be:

SAXPAR Results (Foo) 2012-03-09 15.34.10.txt

By default, the report file is placed in the same directory as the script. A single (optional) command line parameter or an internal script parameter may be used to set a different report file directory.

For each missing hotfix, the report file displays the title, the security bulletin number, the Knowledge Base number, the hotfix type (Security Update, Service Pack, or Update Rollup), its severity (Critical, Important, Moderate, Low or no rating), the security bulletin URL and the download URL.

There are 12 optional internal parameters that can be set in the top lines of the script:

1. report directory – this can be overridden by a command line parameter. The default is an empty string — the report file is placed in the same directory as the script.
2. minimum severity level for missing hotfixes – possible values are:
   • 0 all missing hotfixes, No Rating, Low, Moderate, Important, and Critical, are listed
   • 1 only Low, Moderate, Important, and Critical severity hotfixes are listed
   • 2 only Moderate, Important and Critical severity hotfixes are listed
   • 3 only Important and Critical severity hotfixes are listed
   • 4 only Critical severity hotfixes are listed

   The default is 0.

3. the directory for a local catalog file “wsusscn2.cab” – using a local catalog file allows the script to be run on a PC without an Internet connection. However, an active network connection must be present. When the script is run without this parameter, the catalog file is downloaded to the following directory:

   Windows 2000 & Windows XP:
   %USERPROFILE%\Local Settings\Application Data\Microsoft\MBSA\Cache\
   
   Windows Vista & Windows 7:
   %USERPROFILE%\AppData\Local\Microsoft\MBSA\Cache\

   The latest version of the file can be downloaded from Microsoft here.

   Tip: place the catalog file in the script’s directory and set this parameter to a dot “.”

   Note that the catalog file is updated frequently. Avoid using a stale version.

   The default for this parameter is an empty string — the catalog file is downloaded every time the script is run.

4. suppression of status and error messages – set this parameter to True (use no quotes) to make script execution silent. The default is False (message display is allowed).
5. send report by e-mail – the default is False (use no quotes). If False, parameters 6 through 12 are ignored.
   6. use SMTP authentication – the default is False (use no quotes).
   7. use Gmail SMTP – the default is False (use no quotes).
   8. set the sender’s e-mail address – the format can be simply the address, like this:
      
      “accountname@domainname.tld”
      
      or can include a name with the address enclosed in angle brackets, like this:
      
      “Firstname Lastname <accountname@domainname.tld>”
      
      The string must be enclosed in quotes. The default is an empty string.
   9. set the destination e-mail address – the same rules apply as for the sender’s e-mail address. The default is an empty string.
   10. SMTP server name – the name must be enclosed in quotes. The default is an empty string.
       
   11. User ID for SMTP authentification or Gmail – the string must be enclosed in quotes. The default is an empty string.
   12. Password for SMTP authentification or Gmail – the string must be enclosed in quotes. The default is an empty string.

The script requires Administrative privileges to run. Under Vista and Windows 7, the script will relaunch itself with elevated privileges if necessary and a UAC prompt will appear.

To launch the script as a Scheduled Task, point the Task Scheduler to the script file. To make script execution silent, set parameter 4 to True. To avoid a UAC prompt under Vista and Windows 7, in Task Scheduler | Properties | General (tab) | Security options, make sure that “Run with highest privileges” is checked.

The revision history is found in comments at the bottom of the script file.

This script is free. If you’d like to show your appreciation, patronize the Google Ad vendors. (A simple click is a good way to start.)

If you encounter a script bug, please contact me so I can fix the problem.

Testers are needed to assist with development of future versions. If you’d like to help, please contact me.

The script is protected by copyright. You do not have permission modify the script code for use in your shop. If the script doesn’t work the way you want, I urge you to contact me. I will supply you with a custom-made script for a reasonable charge.