SUMMARY This article provides information about the Hfnetchk tool (Hfnetchk.exe), which is a command-line tool that administrators can use to centrally assess a computer or group of computers for the presence or absence of security patches. You can use the Hfnetchk tool to assess patch status for the Windows NT 4.0 and Windows 2000 operating systems, as well as hotfixes for Internet Information Server 4.0 (IIS), Internet Information Services 5.0 (IIS), SQL Server 7.0, and SQL Server 2000 (including Microsoft Data Engine [MSDE]), and Internet Explorer 5.01 or later. CONTENTS Download Quick Start Guide Description Usage Syntax Feedback To view the Hfnetchk Frequently Asked Questions (FAQ), click the following article in the Microsoft Knowledge Base: Q305385 Frequently Asked Questions for Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Microsoft would like to thank Gold Certified Partner Shavlik Technologies for their assistance in creating this tool. MORE INFORMATION Download The following file is available for download from the Microsoft Download Center: Download Nshc.exe now NOTE: The Hfnetchk tool is available and tested only for English-language operating systems. For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base: Q119591 How to Obtain Microsoft Support Files from Online Services Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file. Quick Start Guide If you want to use the Hfnetchk tool now and read the rest of this document later, use the following steps: 1.Download the Hfnetchk.zip file that is listed in the Download section of this article. 2.Open the .zip file, and then place all of the files in a new folder on your computer. 3.Read the End-user License Agreement (EULA). 4.At a command prompt, locate the folder that you created. 5.Type hfnetchk, and then press Enter. 6.If you have installed a hotfix and the tool does not find the hotfix, run the Hfnetchk tool again with the following commands: hfnetchk -v -z Description The Hfnetchk tool is a command-line tool that you can use to assess a computer or selected group of computers for the presence or absence of security patches. You can use Hfnetchk to assess patch status for the Windows NT 4.0 and Windows 2000 operating systems, as well as hotfixes for IIS 4.0, IIS 5.0, SQL Server 7.0, and SQL Server 2000 (including MSDE), and Internet Explorer 5.01 or later. The Hfnetchk tool uses an Extensible Markup Language (XML) file that contains information about which hotfixes are available for which products. The XML file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including: files in each hotfix package and their file versions and checksums, registry keys that were applied by the hotfix installation package, information about which patches supersede which other patches, related Microsoft Knowledge Base article numbers, and much more. When you run the Hfnetchk tool for the first time from a command line (without any switches), the tool must obtain a copy of this XML file so that the tool can find the hotfixes that are available for each product. The XML file is available on the Microsoft Download Center Web site in compressed form. The file is a digitally signed .cab file. Hfnetchk downloads the .cab file, verifies the signature, and then decompresses the .cab file to your local computer. Note that a .cab file is a compressed file that is similar to a .zip file. After the .cab file is decompressed, Hfnetchk scans your computer (or the selected computers) to determine the operating system, service packs, and programs that you are running. Hfnetchk then parses the XML file and identifies security patches that are available for your combination of installed software. For Hfnetchk to determine if a specific patch is installed on a given computer, three items are evaluated: the registry key that is installed by the patch, the file version, and the checksum for each file that is installed by the patch. In the default configuration, Hfnetchk compares file details and registry keys from the resulting XML subset to the files and registry details on the computer that is being scanned. If any of the file or registry key details on the computer do not match the information that is stored in the XML file, the associated security patch is identified as not installed ("Patch NOT Found") and the results are displayed on the screen. The specific Microsoft Knowledge Base article number that relates to the patch is also displayed on the screen. If the XML file does not contain enough information to check for the program of a patch (or for a specified countermeasure), you may receive a warning message. For additional information about error messages and warning messages, click the article number below to view the article in the Microsoft Knowledge Base: Q305385 Frequently Asked Questions about the Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Hfnetchk first examines the computer to determine if the registry key that is associated with the patch exists. If the registry key does not exist, the patch is considered not installed (see the Usage Syntax section below about the -z switch that disables checking for registry keys). If the registry key does exist, Hfnetchk searches for the related files on the computer and compares the file version and checksum from the XML file to the file version and checksum of the files on the computer. If any of the file tests do not work, the hotfix is listed as "Patch NOT Found". Specific details about why a patch is considered not installed is available if you run the tool with the -v switch. The resulting output identifies the registry keys that are not found and assumes that the patch is not installed. If you want to bypass the registry keys and have the tool look only for file details, use the -z switch in addition to the -v switch (hfnetchk -v -z). Additional command-line switches specify groups of computers to scan, output format, engine speed, types of checks, location of the XML file, and so on. Detailed descriptions of the command-line switches are available in the Usage Syntax section of this article. Usage Syntax To view the syntax for Hfnetchk, type hfnetchk /? at a command prompt. Descriptions for each of the switches are listed in this section: hfnetchk.exe [-h hostname] [-i ipaddress] [-d domainname] [-n] [-r range] [-a action] [-t threads] [-o output] [-x datasource] [-z] [-v] -h - This switch specifies the NetBIOS computer name to scan. The default location is the local host. You can scan multiple host names if you separate each host name entry with a comma, for example: hfnetchk -h computer1,computer2,server1,server2 -i - This switch specifies the Internet Protocol (IP) address of the computer to scan. You can scan multiple IP addresses if you separate each IP address entry with a comma, for example: hfnetchk -i 172.16.1.10,172.16.1.50,192.168.1.10 Note that you cannot scan remote computers by IP address when you run the Hfnetchk tool on a Windows NT 4.0-based computer. -r - This switch specifies the IP address range to be scanned, with ipaddress1 and ending with ipaddress2 inclusive, for example: hfnetchk -r 172.16.1.1-172.16.1.35 HINT: You can use the previous switches in combination, for example: hfnetchk -h computer1,computer2 -i 172.16.1.10, -r 172.16.1.50-172.16.1.90 -d - This switch specifies the domain name to scan. All computers in the domain are scanned. Computers in the domain are the same as those computers that appear in Network Neighborhood under the chosen domain name. For Transmission Control Protocol/Internet Protocol (TCP/IP) networks, User Datagram Protocol (UDP) 137 must be supported on the local network, for example: hfnetchk -d corpdomain -n - When you use this switch, all computers on the local network are scanned, for example, all hosts in Network Neighborhood. This switch is similar to the -d switch for a domain, but all computers from all domains in Network Neighborhood are scanned, for example: hfnetchk -n -a - When you use this switch, the (i)nstalled hotfixes, (m)issing hotfixes, (n)ecessary hotfixes, or (b)oth installed and missing hotfixes are displayed. (I)nstalled hotfixes are the hotfixes where the registry key and the required files are all found on the computer. Hotfixes that are superseded by an installed service pack are not displayed. (M)issing hotfixes the hotfixes that are determined to not be found on the computer. Patches are considered not found if either the registry key or the required files are not found on the computer (depending on the options that you select when you run the tool). Missing hotfixes also include any hotfix that is not installed, regardless of whether it is superseded by a later hotfix. (N)ecessary hotfixes are the hotfixes that are considered not found, similar to (m)issing hotfixes, however, necessary hotfixes take into account patch supersedence information and only display the patches that are not completely superseded by another patch. This is the default output. (B)oth displays both (m)issing and (i)nstalled hotfixes. (N)ecessary hotfixes are not available in this view, for example: hfnetchk -a i -t - This switch displays the number of threads that are used to run the scan. Possible values are from 1 to 128. The default value is 64. You can use this switch to throttle down (or up) the speed of the scanner. Hfnetchk uses standard Windows networking functions to identify computers that are running Windows. Note that this can lead to longer wait times when no hosts are present in specified address spaces. As a result, after a maximum number of threads are open and working, the scanner appears to slow down. You do not experience delays when you use the default number of threads on a populated network. For example: hfnetchk -t 128 -o - This switch specifies the desired output format. (tab) outputs in tab delimited format. (wrap) outputs in a word-wrapped format. The default is wrap. Tab-delimited output is useful when you want to redirect the screen output to a text file, and then import the text file into a spreadsheet or database (the tab output may not appear "clean" when you view it on the screen). For example: hfnetchk -o tab > scan.txt -x - This switch specifies the XML data source that contains the hotfix information. The location may be an XML file name, compressed XML .cab file, or a Uniform Resource Locator (URL). The default file is the Mssecure.cab file from the Microsoft Web site. When you run Hfnetchk without the -x switch, the XML file is downloaded from the Microsoft Web site. The XML file is called Mssecure.xml and is typically located in the same folder as the Hfnetchk.exe file. After you download the file, you can run future scans with the -x switch, for example: hfnetchk -x mssecure.xml Note that this sample commend assumes that you ran the command from a command prompt that is in the same folder as both the Hfnetchk.exe and Mssecure.xml files. You can also host the XML file on a Hypertext Transfer Protocol (HTTP) server (a Web server) or on a network file share, for example: hfnetchk -v -z -x http://xyz.abc/hotfixfile.xml -or- hfnetchk -v -z -x s:\security\hotfixfile.xml Note that xyz.abc in the first example is the name of the Web server that contains the file, and hotfixfile.xml in both examples is the name of the Mssecure.xml file that is extracted from the .cab file. -z - This switch specifies that you do not want the tool to perform registry checks. The -z switch disables the registry key checking portion of Hfnetchk. By default, the hotfix registry key that is specific to each patch is examined to determine if the patch is installed. If the registry key does not exist, Hfnetchk does not display the "Patch NOT Found" message. If the registry key does exist, the file versions and file checksums are examined. To disable the registry check and perform only file checks, use the -z switch. The -z switch is an important switch to use when you troubleshoot output, particularly when you use the switch with the -v switch. Hotfixes are typically identified as missing if one of the three hotfix-related tests do not work: registry key, file version, and file checksum. Under some circumstances, a registry key may not exist even if the hotfix is installed. Under these circumstances, you can use Hfnetchk to bypass the registry-key checks and perform only the file checks. If you use the -z switch with the -v switch, you can find the files that are missing from the installation, rather than the registry keys, for example: hfnetchk -z -v -v - This switch displays the reason why a test did not work in wrap mode. You can use the -v switch to display the reason why a hotfix is considered "not found" or if you receive a warning message. If you use the -v switch without the -z switch, the -v switch either displays the registry key that must be present for the hotfix to be considered installed, or it displays the detail of the warning message. When you use the -z switch, Hfnetchk displays information about which files are not found on the computer that are necessary for the patch to be considered as installed. You may use the -v and -z switches initially until your computer is up to date with patches, and then use the default syntax (no switches) to monitor changes on a daily basis, for example: hfnetchk -z -v -? - This switch displays a menu. You can also call the -? switch by using the /? syntax. The menu is also displayed any time that you pass incorrect syntax at a command prompt. Examples of Switches That You Can Use in Combination The following example scans the local computer for missing (necessary) hotfixes. Registry checks are skipped and reasons why each hotfix is considered not installed are displayed. The Mssecure.xml file in the local folder is used. hfnetchk.exe -v -z -x mssecure.xml The following example scans every host on the network, skips registry checks, and provides reasons why hotfixes are not installed. The Mssecure.xml file in the local folder is used: hfnetchk.exe -v -z -n The following example scans a computer that is named hostname and the computer with the 10.1.1.223 IP address. The default wrap output displays only the hotfixes that you need to install. hfnetchk.exe -h hostname -i 10.1.1.223 The following example scans computers that are named computer1 and computer2, and also scans two computers with a specific IP addresses (172.16.1.10 and 192.168.1.32). Registry keys are skipped, and reasons why the hotfix is not installed are displayed. Output is written to the Scan.txt file. hfnetchk.exe -h computer1,computer2 -i 172.16.1.10,192.168.1.32 -v -z >scan.txt The computer with IP address 192.168.1.1 is scanned. Both missing and installed hotfixes are identified. The reason why a hotfix is not found is displayed. Output is in tab-delimited format and is appended to a file called 192.168.1.1.txt. hfnetchk.exe -i 192.168.1.1 -a b -v -o tab >>192.168.1.1.txt Two computers with the 192.168.1.1 and 192.168.1.8 IP addresses are scanned, and one computer with the name server1 is scanned. A local copy of the Mssecure.xml XML file is used. hfnetchk.exe -i 192.168.1.1,192.168.1.8 -h server1 -x mssecure.xml All of the computers in the corp domain are scanned for installed hotfixes. Output is in tab-delimited format and the Hotfixes.xml XML file in the C:\Temp folder is used. hfnetchk.exe -d corp -a i -o tab -x c:\temp\hotfixes.xml All computers in the 192.168.1.0 class C subnet are scanned. Results display both missing and installed hotfixes. Note that the scanning engine has been increased to 100 threads. hfnetchk.exe -r 192.168.1.1-192.168.1.254 -a b -t 100 The local computer is scanned by using the Mssecure.xml file from the Web server www.xyz.abc. hfnetchk.exe -x http://www.xyz.abc/mssecure.xml The local computer is scanned by using the Mssecure.xml file from the specified folder (path name). You must use quotation marks around the fully-qualified file name (path name and file name) if there is a space in the path name. hfnetchk.exe -x "c:\path name\mssecure.xml" Feedback To report comments, feedback, or problems with the Hfnetchk tool, please send an e-mail message to hfnetchk@microsoft.com For additional support, please read the following Microsoft Knowledge Base article: Q305385 Frequently Asked Questions for Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool