Microsoft KB Archive/827363

= How to Use the KB 824146 Scanning Tool to Identify Host Computers That Do Not Have the 823980 (MS03-026) and the 824146 (MS03-039) Security Patches Installed =

Article ID: 827363

Article Last Modified on 9/5/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, 64-Bit Datacenter Edition
 * Microsoft Windows Server 2003, 64-Bit Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Web Edition
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows XP Professional for Itanium-based systems
 * Microsoft Windows XP Home Edition
 * Microsoft Windows XP Media Center Edition 2002
 * Microsoft Windows XP Professional
 * Microsoft Windows XP Tablet PC Edition
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server
 * Microsoft Windows 2000 Professional Edition
 * Microsoft Windows 2000 Server
 * Microsoft Windows NT Server 4.0, Terminal Server Edition
 * Microsoft Windows NT Server 4.0 Standard Edition
 * Microsoft Windows NT Workstation 4.0 Developer Edition

-



Note On October 7, 2003, Microsoft released an updated version (1.00.0257) of the KB 824146 scanning tool (KB824146scan.exe) that incorporates several feature requests that are based on customer feedback. The major changes in version 1.00.0257 include the following:
 * The ability to scan Microsoft Windows NT 4.0-based computers that have the RestrictAnonymous value turned on in the registry
 * Improved output categories that help to clarify the security patch level of scanned computers
 * NetBIOS name output for scanned computers



SUMMARY
Microsoft has released the KB 824146 scanning tool (KB824146scan.exe) that network administrators can use to identify host computers on their networks that do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. This tool replaces the KB 823980 scanning tool (KB823980scan.exe).

Note If you use the KB823980scan.exe tool to scan a computer that has the 824146 security patch installed, the tool will incorrectly report that the computer is missing the 823980 security patch (MS03-026). Microsoft encourages customers to run the KB824146scan.exe tool to determine whether the host computers on their networks have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. For additional information about the 824146 security patch (MS03-039), click the following article number to view the article in the Microsoft Knowledge Base:

824146 MS03-039: A Buffer Overrun in RPCSS Could Allow an Attacker to Run Malicious Programs

For additional information about the 823980 security patch (MS03-026), click the following article number to view the article in the Microsoft Knowledge Base:

823980 MS03-026: Buffer Overrun in RPC Interface May Allow Code Execution

For additional information about a new worm virus that tries to exploit the DCOM RPC vulnerability that is fixed by the 823980 security patch (MS03-026), click the following article number to view the article in the Microsoft Knowledge Base:

826955 Virus Alert About the Blaster Worm and Its Variants

For additional information about how network administrators can use Windows Management Instrumentation scripting to install the 823980 security patch (MS03-026) on unpatched computers in their Microsoft Windows NT, Microsoft Windows 2000, or Microsoft Windows Server 2003 domain, click the following article number to view the article in the Microsoft Knowledge Base:

827227 How to Use a Visual Basic Script to Install the 824146 (MS03-039) or 823980 (MS03-026) Security Patch on Remote Host Computers



MORE INFORMATION
The KB824146scan.exe tool can scan remote computers to help network administrators identify which Windows-based computers do not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. The scan does not require authentication (that is, you do not have to supply valid credentials on the remote computer). The KB824146scan.exe tool does not affect the stability of the target operating system that is scanned.

You can use the KB824146scan.exe tool from a computer that is running Windows Server 2003, Windows XP, or Windows 2000. You can use it to scan Windows Server 2003-based, Windows XP-based, Windows 2000-based, or Windows NT 4.0-based computers on your network.

Download and Setup Information
To download the KB824146scan.exe tool, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=13AE421B-7BAB-41A2-843B-FAD838FE472E&displaylang=en

Download the Dcom-kb827363-x86-enu.exe installation package. To install the KB824146scan.exe tool, double-click the Dcom-kb827363-x86-enu.exe installation package that you downloaded. The tool is a command-line utility that is installed in the KB824146scan subfolder of the Program Files folder, or in the KB824146scan subfolder of the Program Files (X86) folder for 64-bit versions of Windows XP or Windows Server 2003.

Usage Information
To run the KB824146scan.exe tool, follow these steps:
 * 1) Click Start, and then click Run.
 * 2) In the Open box, type cmd and then click OK.
 * 3) At the command prompt, type cd %programfiles%\kb824146scan, and then press ENTER.
 * 4) Type kb824146scan.

For information about the available switches to use with the KB824146scan.exe tool, type KB824146scan.exe /? . The following information is shown:

Microsoft (R) KB824146 Scanner Version 1.00.0257 for 80x86 Copyright (c) Microsoft Corporation 2003. All rights reserved.

The purpose of KB824146Scan.exe is to audit Windows systems over the network for KB824146 and KB823980patch compliance. KB824146Scan.exe allows administrators to quickly scan enterprise networks for unpatched systems.

Usage: KB824146Scan.exe [/?] [/i:input_file] [/l[:log_file]] [/n] [/o:out_file] [/r] [/t:timeout] [/v] target ...

Targets can take any of the following forms:

a.b.c.d            - IP address a.b.c.d-i.j.k.l    - IP address range a.b.c.d/mask       - IP address with CIDR mask host               - unqualified hostname host.domain.com    - fully-qualified domain name localhost          - check local machine

Targets can be specified on the command line & in user-specified input files. The format of the input file is one target per line.

KB824146Scan.exe maintains a log file in the current directory if the /l switch is specified on the command line. (Otherwise output is only sent to the screen.) The log files will take the form of KB824146Scan_YYMMDD[a-z][a-z].log, where YY is the two digit year, MM is the two digit month, and DD is the two digit day. The [a-z][a-z] will be appended to the log file name as additional scans are completed on the same day. Please note that the log output will only contain essential information. To capture full information, please specify the /v switch for verbose logging.

KB824146Scan.exe will create a list of vulnerable systems (unpatched as well as those with KB823980 installed) in the current working directory. The log files will take the form of Vulnerable_YYMMDD[a-z][a-z].log, where YY is the two digit year, MM is the two digit month, and DD is the two digit day. The [a-z][a-z] will be appended to the log file name as additional scans are completed on the same day. Its name can be changed with the /o switch.

KB824146Scan.exe will resolve IP addresses to DNS names if the /r switch is given on the command line. This may incur a performance penalty if your DNS servers are slow in responding.

KB824146Scan.exe will resolve IP addresses to NetBIOS names if the /n switch is given on the command line. This may incur a performance penalty if the remote NetBIOS connection is slow in responding.

KB824146Scan.exe has a default timeout of 5 seconds, which should be fine for most networks. If your network is slow or has IPSec enabled then you might want to increase the timeout to 10 seconds or more. Use /t to specify the number of seconds for the timeout.

Sample Output
The following is a sample of the command-line output that is shown by KB824146Scan.exe when you use it to scan a range of IP addresses (10.1.1.0 through 10.1.1.255 in this example).

C:\>kb824146scan 10.1.1.1/24

Microsoft (R) KB824146 Scanner Version 1.00.0257 for 80x86 Copyright (c) Microsoft Corporation 2003. All rights reserved.

<+> Starting scan (timeout = 5000 ms)

Checking 10.1.1.0 - 10.1.1.255 10.1.1.1: unpatched 10.1.1.2: patched with both KB824146 (MS03-039) and KB823980 (MS03-026) 10.1.1.3: Patched with only KB823980 (MS03-026) 10.1.1.4: host unreachable 10.1.1.5: DCOM is disabled on this host 10.1.1.6: address not valid in this context 10.1.1.7: connection failure: error 51 (0x00000033) 10.1.1.8: connection refused 10.1.1.9: this host needs further investigation

<-> Scan completed

Statistics:

Patched with both KB824146 (MS03-039) and KB823980 (MS03-026) .... 1 Patched with only KB823980 (MS03-026) ............................ 1 Unpatched ............................. 1 TOTAL HOSTS SCANNED ................... 3

DCOM Disabled ......................... 1 Needs Investigation ................... 1 Connection refused .................... 1 Host unreachable ...................... 248 Other Errors .......................... 2 TOTAL HOSTS SKIPPED ................... 253

TOTAL ADDRESSES SCANNED ............... 256

Error Messages, Status, and Statistics
 An &quot;unpatched&quot; status indicates that the host that you scanned is a Windows host but that the host does not have the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. To help protect this computer, you must install the 824146 (MS03-039) security patch. A &quot;patched with KB823980&quot; status indicates that the host was scanned and that host has the 823980 (MS03-026) security patch installed. The computer does not have the 824146 (MS03-039) security patch installed. To help protect this computer, you must install the 824146 (MS03-039) security patch. A &quot;patched with KB824146 and KB823980&quot; status indicates that the host was scanned and that the host has the 823980 (MS03-026) and the 824146 (MS03-039) security patches installed. A &quot;host unreachable&quot; error message indicates that no host is present at the specified Internet Protocol (IP) address. Additionally, black hole routers, or firewalls that drop packets, such as Internet Connection Firewall (ICF), also return the &quot;host unreachable&quot; error message. A &quot;DCOM is disabled on this host&quot; status indicates that DCOM has been disabled on the target host computer. DCOM may have been disabled to help protect against the vulnerabilities that are addressed by the 823980 (MS03-026) and the 824146 (MS03-039) security patches. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

825750 How to Disable DCOM Support in Windows

 A &quot;address is not valid in this context&quot; or a &quot;connection failure&quot; error message indicates there was some problem connecting to the remote computer. To determine whether the target computers have been patched, you must manually inspect them.</li> A &quot;connection refused&quot; error message indicates either that no service is listening on TCP port 135 or that TCP port 135 is being filtered (either by the Windows TCP/IP stack or by a firewall or a router). To determine whether the target computers have been patched, you must manually inspect them.</li> A &quot;this host needs further investigation&quot; error message indicates that there was some problem scanning the remote host. To determine whether the target computers have been patched, you must manually inspect them.</li> A &quot;connection failure, error 67 (0x00000043)&quot; error message indicates that the network name cannot be found. To determine the cause of similar error messages, type the following at the command prompt, where  is the decimal error number:

net helpmsg

</li> The &quot;Patched with KB824146 and KB823980&quot; statistic is a count of the target computers that were marked with the status message &quot;patched with KB824146 and KB823980.&quot;</li> The &quot;Patched with KB823980&quot; statistic is a count of the target computers that were marked with the status message “patched with KB823980.”</li> The &quot;Unpatched&quot; statistic is a count of the target computers that were marked with the status message &quot;unpatched.&quot;</li> The &quot;TOTAL HOSTS SCANNED&quot; statistic is a total of the &quot;Patched with KB824146 and KB823980,&quot; the &quot;Patched with KB823980,&quot; and the &quot;Unpatched&quot; statistics.</li> The &quot;DCOM Disabled&quot; statistic is a count of the target computers that were marked with the status message &quot;DCOM is disabled on this host.&quot;</li> The &quot;Needs Investigation&quot; statistic is a count of the target computers that were marked with the status message &quot;this host needs further investigation.&quot;</li> The &quot;Connection refused&quot; statistic is a count of the target computers that were marked with the status message &quot;connection refused.&quot;</li> The &quot;Host unreachable&quot; statistic is a count of the target computers that were marked with the status message &quot;host unreachable.&quot;</li> The &quot;Other Errors&quot; statistic is a count of the target computers that were marked with any other error message that is not included in this list.</li> The &quot;TOTAL HOSTS SKIPPED&quot; statistic is a total of the &quot;DCOM Disabled,&quot; the &quot;Needs Investigation,&quot; the &quot;Connection refused,&quot; the &quot;Host unreachable,&quot; and the &quot;Other Errors&quot; statistics.</li> The &quot;TOTAL ADDRESSES SCANNED&quot; statistic is a total of the &quot;TOTAL HOSTS SCANNED&quot; and the &quot;TOTAL HOSTS SKIPPED&quot; statistics.</li></ul>

Log Files That the KB824146Scan.exe Tool Creates
Note These log files are created in the current working folder (that is, the folder where you run KB824146Scan.exe). By default, this is the KB824146scan subfolder of the Program Files folder, or the KB824146scan subfolder of the Program Files (X86) folder for 64-bit versions of Windows XP or Windows Server 2003. <ul> KB824146Scan_ .log: This log file contains information that is similar to the information in the &quot;Sample Output&quot; section of this article.</li> <li>Vulnerable_ .log: This log file contains a list of the IP addresses for computers on your network that do not have the 824146 (MS03-039) security patch installed. You can use the Vulnerable_ file without modification as the input file  for the Patchinstall.vbs script that is described in Microsoft Knowledge Base article 827227. If you run KB824146Scan.exe more than one time a day to perform a scan, letters [a-z][a-z] are added to the Vulnerable_ file name after the date. For example, if you run KB824146Scan.exe five times on August 21, 2003, the following log files are created in this order: <ol> <li>Vulnerable_030821.log</li> <li>Vulnerable_030821a.log</li> <li>Vulnerable_030821b.log</li> <li>Vulnerable_030821c.log</li> <li>Vulnerable_030821d.log</li></ol>

For the sample output that is described in the &quot;Sample Output&quot; section in this article, the Vulnerable_ .log log file would contain the following entries:

10.1.1.2

10.1.1.8

</li></ul>

Known Issues
<ul> <li>If remote access or file sharing is enabled, the KB824146scan.exe tool may incorrectly report that the following versions of Windows are vulnerable : <ul> <li>Microsoft Windows 95</li> <li>Microsoft Windows 98</li> <li>Microsoft Windows 98 Second Edition</li> <li>Microsoft Windows Millennium Edition</li></ul> </li> <li>The original version of the KB824146scan.exe tool (1.00.0249 ) cannot determine whether the 823980 (MS03-026) and the 824146 (MS03-039) security patches are installed on a Windows NT 4.0-based computer that has the RestrictAnonymous value set to 1 in the following registry key:

In this case, the KB824146scan.exe tool reports the following error status for the target computer: “cannot get workstation info: error 997 (0x000003E5).” To determine whether these computers have been patched, use version 1.00.0257 of the KB824146scan.exe, or manually inspect all Windows NT 4.0-based computers that have the RestrictAnonymous value turned on.</li> <li>You cannot use double-byte character set (DBCS) characters in the path for the input file, the output file, the log file, or the host computer when you use the KB824146scan.exe tool.</li></ul>

Additional query words: dcomscan ms03-026 rpc dcom patch scanner 1.0 exploit vulnerability patch rpcss

Keywords: kbfirewall KB827363

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.