12 replies to this topic

[LostUser]

Hi all.
I am working on setting AutoPatcher to distribute updates using Kaspersky Administration kit.

What I am trying to do at this point is have only the necessary files on the server to run AutoPatcher and do
the critical updates.

Since I don't see all the Windows Critical updates showing up from a regular AutoPatcher download, I am downloading them and making my own APM files, directories, etc.

Here is my question. I look at the AutoPatcher log file and it gives this messaging (different file names) for the update .apm files:
" ... KB956744_xp_x86_enu.apm was found, but not mentioned by any RTI!"

Is this a problem ... or am I doing something wrong by creating my own APM files?

[click-click]

I'm not sue if you can add APM files. If you feel Windows Critical Updates are missing, you need to inform the maintainers in one of the appropriate forums and they will investigate your claims. I.e

http://www.autopatch...6-hotfix-depot/

Also, KB956744 is already included in AP. Be sure to run APUP.exe /log to refresh your installation

Edited by click-click, 04 November 2009 - 11:27 PM.

[Cristiano]

> I don't see all the Windows Critical updates showing up from a regular AutoPatcher download
in the xp enu script? all updates are in there, but since the enu script are shared between extras, direct x and .net, you will need all 3 in order to have all the updates for xp sp3. also, you need run autopatcher at least twice with the right choices to cover them all

about this:
" ... KB956744_xp_x86_enu.apm was found, but not mentioned by any RTI!"

this module is located under the critical updates and it is in the rti file. but since you have your own modules mixed with the official ones, autopatcher goes out of sync with the rti file and return this kind of message in the log. you can get rid of those messages by removing the .rti file. but please check the .md5 file to see if you have all the updates as they should be

[]s

[LostUser]

Cristiano, on 04 November 2009 - 11:11 PM, said:

> I don't see all the Windows Critical updates showing up from a regular AutoPatcher download
in the xp enu script? all updates are in there, but since the enu script are shared between extras, direct x and .net, you will need all 3 in order to have all the updates for xp sp3. also, you need run autopatcher at least twice with the right choices to cover them all

about this:
" ... KB956744_xp_x86_enu.apm was found, but not mentioned by any RTI!"

this module is located under the critical updates and it is in the rti file. but since you have your own modules mixed with the official ones, autopatcher goes out of sync with the rti file and return this kind of message in the log. you can get rid of those messages by removing the .rti file. but please check the .md5 file to see if you have all the updates as they should be

[]s

My directories are a little messy now. What I'll do is create a new directory, run APUP and leave it as is. Then I'll get back with you if I find any updates that aren't there.

[Cristiano]

ok. if you wish, i can do an full list about what needs to be installed in order to math wu. if i'm not mistaken, if you have the .net, extras and direct xp package (and, of course, the main script) and run autopatcher with /recommended argument, then you will match wu. but you need to this twice. do one, reboot and then do it again to get the missing ones. i'm unsure if you need to run with an /neverselectinstalled argument too, but i have an personal folders with all the required updates already checked as critical and it matches nicely, for an xp sp3.

[]s

[LostUser]

Cristiano, on 05 November 2009 - 10:17 PM, said:

ok. if you wish, i can do an full list about what needs to be installed in order to math wu. if i'm not mistaken, if you have the .net, extras and direct xp package (and, of course, the main script) and run autopatcher with /recommended argument, then you will match wu. but you need to this twice. do one, reboot and then do it again to get the missing ones. i'm unsure if you need to run with an /neverselectinstalled argument too, but i have an personal folders with all the required updates already checked as critical and it matches nicely, for an xp sp3.

[]s

Thanks for the info for WU. You don't have to get me a list, I can get that.

What I am trying to do is push AutoPatcher out using Kaspersky's Admin Kit. The result I want is to have AutoPatcher only install critical updates. I want it to run as fast as possible so I don't want AutoPatcher to have to look at any other updates except critical. To do this, I was thinking I could just remove all the other module directories not related to Critical Updates. I am not sure this is the correct thing to do however.

The other thing is that, on our network, the PCs we are updating are Windows2000 sp4, Windows XP sp2, and Windows XP sp3. Most are 2000sp4 and xpsp2.

With Kaspersky Admin Kit, I am using an AutoIt script to run the batch file hidden, then check for the AutoPatcher window and hide that. The script creates a log file and records the start and end time (when the AutoPatcher window closes). When the AutoPatcher window is no longer existing (likely because AutoPatcher is finished) then the script copies the AutoPatcher log file to a location on the network.

I am not using answer files yet ... only for testing. Do answer files skip all the checks (except md5) and just force the updates in the answer file to run?

[Cristiano]

> The result I want is to have AutoPatcher only install critical updates.
that's the reason why you are getting missing things into WU. you may lack certain updates if you miss certain non-critical and some components too. with those missing, you will not match wu at all and probably will take more time than really required to update everything. do you wanna some samples? ok, i will give you

> Windows XP sp2
this one will not match wu with autopatcher. certain modules loads in sp2, but we don't check for missing updates to this one.

KB956744 and KB973039 are critical updates. booth could be replaced by KB969084, saving time to install. but KB969084 is an component, not an critical or non-critical update. the same thing goes to ie. by removing the components, you will remove ie8 (just to make the history short) and will install a dozen of modules for nothing. by other hand, if you install IE8 and wmp11, you will skip a dozen of updates and will math WU in half of the time than deploying only the critical ones and then checking at wu. by doing the right choices, you can deploy all the updates required to match wu in half a hour or less, according to the machine specs. how i know that? i fix machines and, with more free time, more money i can make. furthermore, i can decrease even more that time, by changing just one thing into the module install string.

and no, i don't run with an answers file. as for skip all the checks, i'm unsure about what you are talking about. if you are talking about the integrity of the files, then no, the rti file still will be checked, unless not present. by the other hand, if you run autopatcher with an /neverselectinstalled or a few extra arguments to run with an answers file, then autopatcher will only check if an update is already installed or not and, due the /neverselectinstalled , the already installed updates will not be forced

[]s

[LostUser]

Cristiano, on 11 November 2009 - 05:30 PM, said:

> The result I want is to have AutoPatcher only install critical updates.
that's the reason why you are getting missing things into WU. you may lack certain updates if you miss certain non-critical and some components too. with those missing, you will not match wu at all and probably will take more time than really required to update everything. do you wanna some samples? ok, i will give you

I think I understand now. The best thing to do would be to let apup download everything it needs to download and run everything from that directory.

Quote

> Windows XP sp2
this one will not match wu with autopatcher. certain modules loads in sp2, but we don't check for missing updates to this one.

Any suggestions on what I can do to work this one out?

Quote

KB956744 and KB973039 are critical updates. booth could be replaced by KB969084, saving time to install. but KB969084 is an component, not an critical or non-critical update. the same thing goes to ie. by removing the components, you will remove ie8 (just to make the history short) and will install a dozen of modules for nothing. by other hand, if you install IE8 and wmp11, you will skip a dozen of updates and will math WU in half of the time than deploying only the critical ones and then checking at wu. by doing the right choices, you can deploy all the updates required to match wu in half a hour or less, according to the machine specs. how i know that? i fix machines and, with more free time, more money i can make. furthermore, i can decrease even more that time, by changing just one thing into the module install string.

What about MS09-### critical updates? Is it possible to just install these from a download using no update software? Or will some of the critical updates require that other components (as you mention above) be installed?

I hope I am not being dumb or asking too many questions. I just want to understand what I can and can't do while keeping the computers up to date.

Thanks.

[Cristiano]

> The best thing to do would be to let apup download everything it needs to download and run everything from that directory
not kite right. you don't need all the updates, only the key ones. by instance, KB969084 save you time, but this one requires at least .net 2. by other hand, you will not require install any IE6 update if you are going to install IE7 or 8. also, the flash player installer replaces one update for windows xp (i don't remember the kb number right now, but i can find it, if you wish). plus, flash player will be prompted to be downloaded by any website that you go. also, there's a lot of samples of this kind of issue

> Windows XP sp2
oh well, this one may be an real problem. certain updates just doesn't work under sp2 anymore. plus: the list of updates that are required to install prior to the sp3 is huge. worst: certain sound cards drivers must be updated prior to deploy sp3 or certain updates that predates sp3. with my clients that are still running this one, i just do one thing: wipe, reinstall with sp3 integrated, deploy the updates. no, i'm not joking: takes more time deploy sp2 then sp3, then the updates and fix the issues related to that than if you wipe all and reinstall everything all again

> Or will some of the critical updates require that other components (as you mention above) be installed?
all them can be installed by hand, but all them has the same issues than the other ones. worst: some of them may require KB958655, that requires KB942288 to work. then, you will have to figure the proper order to install all them and this may be an nightmare

also, there's an even faster way that the method that i choose: integrate everything into an install media and, in the advent of an full reinstall, most of the updates already will be in there. but i don't like it. i've already saw an couple of issues that may come from this scenario.

> asking too many questions
that isn't a problem. sometimes, it's more easy to elaborate in this way

oh crap... my cats just dropped about 50 cds in the floor... all them still had the original case. oh well... not anymore for most of them...

[]s

[LostUser]

Quote

> The best thing to do would be to let apup download everything it needs to download and run everything from that directory
not kite right. you don't need all the updates, only the key ones. by instance, KB969084 save you time, but this one requires at least .net 2. by other hand, you will not require install any IE6 update if you are going to install IE7 or 8. also, the flash player installer replaces one update for windows xp (i don't remember the kb number right now, but i can find it, if you wish). plus, flash player will be prompted to be downloaded by any website that you go. also, there's a lot of samples of this kind of issue

I'll have to look more at this and decide what to do. Basically, I want to protect the PCs when the updates come out to prevent something like Conficker from happening again. I still see Conficker residue on our network every so often.

Quote

> Windows XP sp2
oh well, this one may be an real problem. certain updates just doesn't work under sp2 anymore. plus: the list of updates that are required to install prior to the sp3 is huge. worst: certain sound cards drivers must be updated prior to deploy sp3 or certain updates that predates sp3. with my clients that are still running this one, i just do one thing: wipe, reinstall with sp3 integrated, deploy the updates. no, i'm not joking: takes more time deploy sp2 then sp3, then the updates and fix the issues related to that than if you wipe all and reinstall everything all again

I've been trying to work with an in-use PC with xpsp2 (we don't have any spares right now) and watch what updates get downloaded with WU. I'll try to emulate what gets installed on that PC.

Quote

> Or will some of the critical updates require that other components (as you mention above) be installed?
all them can be installed by hand, but all them has the same issues than the other ones. worst: some of them may require KB958655, that requires KB942288 to work. then, you will have to figure the proper order to install all them and this may be an nightmare

also, there's an even faster way that the method that i choose: integrate everything into an install media and, in the advent of an full reinstall, most of the updates already will be in there. but i don't like it. i've already saw an couple of issues that may come from this scenario.

I am a big fan of slipstreaming the big service packs instead of doing all the previous updates like installing xpsp2, the updates, then xpsp3. Best just to go straight to xpsp3. Unfortunately some of our PCs would be too slow if the were upgraded to xpsp3 add to that our Kaspersky software and any other necessary software and people will just get frustrated. Not to mention our other locations which connect to us over a T1 which slows them down even more.

Quote

> asking too many questions
that isn't a problem. sometimes, it's more easy to elaborate in this way

You are right on that point. When you can only send text, more questions will get a better answer.

Quote

oh crap... my cats just dropped about 50 cds in the floor... all them still had the original case. oh well... not anymore for most of them...

I had to lol when I read that but am sorry to hear that. Maybe you can buy empty cases and put all the covers and printed materials back (if they are standard size cases). The standard CD case plastic is too easy to break.

[Cristiano]

> I still see Conficker residue on our network every so often
in here too. this isn't my task at my job anymore, but i've tracked those machines some time ago. by now, it's everything ok. but the sad part is that you can apply kb958644, that may help prevent an re-infection, but the machine must be cleaned first. mrt helps with that

> Unfortunately some of our PCs would be too slow if the were upgraded to xpsp3
just disable the garbage, like the xp style, that dog in search, microsoft search and a few extra garbage that will do the trick. just to make some tests, once i've tried xp sp3 and fully updated running in an ancient k6 II 500, 196 RAM shared and with an (arghhhhhh) pcchips motherboard. at the end, the memory usage was about 96-120MB and the machine was running pretty fine

about my cds, well, i will try protect them better. but is kinda hard to do that when you have an wall of it...

[]s

[LostUser]

Quote

> I still see Conficker residue on our network every so often
in here too. this isn't my task at my job anymore, but i've tracked those machines some time ago. by now, it's everything ok. but the sad part is that you can apply kb958644, that may help prevent an re-infection, but the machine must be cleaned first. mrt helps with that

We clean, run the patches, and make sure Kaspersky is up to date. Things are much better now but there are a few stubborn machines that seem to keep getting infected. I have found out some interesting things after I logged onto an infected laptop (didn't know it was infected as it had been stored for a while). I had to join it to our domain so logged in as Admin. I watched as Kaspersky kept popping up messages that %computername%\admin$\[random file name] was infected, do I want to delete it. I cleaned it as I was logged in as Admin because I didn't want to lose the connection to those machines and have them reboot and become infected. I did get to know conficker's process though. Even patched PCs can still get the infection if there are administrative rights through the RDP share.

Quote

> Unfortunately some of our PCs would be too slow if the were upgraded to xpsp3
just disable the garbage, like the xp style, that dog in search, microsoft search and a few extra garbage that will do the trick. just to make some tests, once i've tried xp sp3 and fully updated running in an ancient k6 II 500, 196 RAM shared and with an (arghhhhhh) pcchips motherboard. at the end, the memory usage was about 96-120MB and the machine was running pretty fine

A k6II ... that is pretty rough. Yes, it would probably run fine ... but when you throw MsOffice 2003 or 2007, Outlook, Adobe, Web Based apps and other things, it really puts a load on the PC.

Quote

about my cds, well, i will try protect them better. but is kinda hard to do that when you have an wall of it...

I have a CD jukebox someone gave me (not the pub kind). Its the kind you connect up to a PC ... uses scsi 2. I have never connected it and tried to access though, however I have powered it on and it does work. Someday when I have the time I may work more on it. I think they used it more for software loading and not music though.

[Cristiano]

> machines that seem to keep getting infected
surely there's an infected machine at your network. this tool may help you track it:
http://www.mcafee.co...fickertest.html
with that, you can check your entire network for the presence of it at once, allowing you to isolate and clean those machines. it's an free tool

> but when you throw MsOffice 2003 or 2007, Outlook, Adobe, Web Based apps and other things, it really puts a load on the PC
still works, but in ancient machines, you have to think about what works best. msoffice 2k3 may works, but about 2k7... adobe reader can be replaced by more clean pdf viewers. but of course, this just helps, not fix the issue

> CD jukebox
i know those. the idea is nice, but then "what i will listen now" will become an problem

[]s