Microsoft KB Archive/320454

= Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 is available =

Article ID: 320454

Article Last Modified on 12/3/2007

-

APPLIES TO

 Microsoft Data Engine 1.0 Microsoft Data Engine 1.0 Microsoft Exchange 2000 Server Standard Edition Microsoft Exchange Server 2000 Service Pack 1 Microsoft Exchange Server 5.5 Standard Edition Microsoft Exchange Server 5.5 Service Pack 1 Microsoft Exchange Server 5.5 Service Pack 2 Microsoft Exchange Server 5.5 Service Pack 3</li> Microsoft Exchange Server 5.5 Service Pack 4</li> Microsoft Internet Explorer 6.0, when used with: <ul> Microsoft Windows XP Home Edition</li></ul>

<ul> Microsoft Windows XP Professional</li></ul>

<ul> Microsoft Windows XP Media Center Edition 2002</li></ul>

<ul> Microsoft Windows XP Tablet PC Edition</li></ul>

<ul> Microsoft Windows 2000 Advanced Server</li></ul>

<ul> Microsoft Windows 2000 Datacenter Server</li></ul>

<ul> Microsoft Windows 2000 Professional Edition</li></ul>

<ul> Microsoft Windows 2000 Server</li></ul>

<ul> Microsoft Windows NT Server 4.0 Standard Edition</li></ul>

<ul> Microsoft Windows NT Server 4.0, Terminal Server Edition</li></ul>

<ul> Microsoft Windows NT Workstation 4.0 Developer Edition</li></ul> </li> Microsoft Internet Explorer 5.5 Service Pack 1</li> Microsoft Internet Explorer 5.5 Service Pack 2</li> Microsoft Internet Explorer 5.01</li> <li>Microsoft Internet Explorer 5.01</li> <li>Microsoft Internet Explorer 5.5 Service Pack 1</li> <li>Microsoft Internet Explorer 5.5 Service Pack 2</li> <li>Microsoft Internet Explorer 5.01</li> <li>Microsoft Internet Explorer 5.01</li> <li>Microsoft Internet Information Server 4.0</li> <li>Microsoft Internet Information Services 5.0</li> <li>Microsoft Internet Information Services 5.1</li> <li>Microsoft Internet Information Services 6.0</li> <li>Microsoft SQL Server 2000 Service Pack 1</li> <li>Microsoft SQL Server 2000 Service Pack 2</li> <li>Microsoft SQL Server 7.0 Standard Edition</li> <li>Microsoft SQL Server 7.0 Service Pack 1</li> <li>Microsoft SQL Server 7.0 Service Pack 2</li> <li>Microsoft SQL Server 7.0 Service Pack 3</li> <li>Microsoft SQL Server 7.0 Service Pack 4</li> <li>Microsoft Windows Media Player 9 Series</li> <li>Microsoft Windows NT Server 4.0, Terminal Server Edition Service Pack 4</li> <li>Microsoft Windows Media Player 7.1</li> <li>Microsoft Windows Media Player 7.0</li> <li>Microsoft Windows Media Player 6.4</li> <li>Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li> <li>Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)</li> <li>Microsoft Windows XP Home Edition</li> <li>Microsoft Windows XP Professional</li> <li>Microsoft Windows 2000 Advanced Server</li> <li>Microsoft Windows 2000 Advanced Server</li> <li>Microsoft Windows 2000 Service Pack 1</li> <li>Microsoft Windows 2000 Service Pack 2</li> <li>Microsoft Windows 2000 Service Pack 1</li> <li>Microsoft Windows 2000 Service Pack 2</li> <li>Microsoft Windows NT 4.0 Service Pack 4</li> <li>Microsoft Windows NT 4.0 Service Pack 5</li> <li>Microsoft Windows NT 4.0 Service Pack 6</li> <li>Microsoft Windows NT 4.0 Service Pack 6a</li> <li>Microsoft Windows NT 4.0 Service Pack 4</li> <li>Microsoft Windows NT 4.0 Service Pack 5</li> <li>Microsoft Windows NT 4.0 Service Pack 6</li> <li>Microsoft Windows NT 4.0 Service Pack 6a</li> <li>Microsoft Windows NT Server 4.0, Terminal Server Edition Service Pack 5</li> <li>Microsoft Windows NT Server 4.0, Terminal Server Edition Service Pack 6</li> <li>Microsoft Windows NT Workstation 4.0 Developer Edition</li> <li>Microsoft Windows NT Workstation 4.0</li> <li>Microsoft Windows NT Workstation 4.0 Developer Edition</li> <li>Microsoft Windows NT Workstation 4.0 Developer Edition</li> <li>Microsoft Windows Media Player 9 Series for Windows XP</li> <li>Microsoft Windows 2000 Advanced Server</li> <li>Microsoft Windows 2000 Service Pack 3</li> <li>Microsoft Windows 2000 Service Pack 3</li> <li>Microsoft Windows Small Business Server 2003 Premium Edition</li> <li>Microsoft Windows Small Business Server 2003 Standard Edition</li> <li>Microsoft Data Access Components 2.5</li> <li>Microsoft Data Access Components 2.6</li> <li>Microsoft Data Access Components 2.7</li> <li>Microsoft Data Access Components 2.8</li> <li>Microsoft XML Parser 2.5</li> <li>Microsoft XML Parser 2.6</li> <li>Microsoft XML Parser 3.0</li> <li>Microsoft XML Core Services 4.0</li> <li>Microsoft Exchange Server 2003 Enterprise Edition</li> <li>Microsoft Exchange Server 2003 Standard Edition</li> <li>Microsoft Java Virtual Machine</li> <li>Microsoft Content Management Server 2001 Enterprise Edition</li> <li>Microsoft Content Management Server 2002</li> <li>Microsoft Commerce Server 2000 Standard Edition</li> <li>Microsoft Commerce Server 2002 Standard Edition</li> <li>Microsoft BizTalk Server 2000 Standard Edition</li> <li>Microsoft BizTalk Server 2002 Standard Edition</li> <li>Microsoft SNA Server 4.0</li> <li>Microsoft Host Integration Server 2000 Standard Edition</li></ul>

-

<div class="notice_section">

This article was previously published under Q320454

<div class="summary_section">

SUMMARY
This article contains information about the Microsoft Baseline Security Analyzer tool (MBSA). This tool centrally scans Windows-based computers for common security misconfigurations and generates individual security reports for each computer that it scans. MBSA runs on computers that run Windows Server 2003, Windows 2000, and Windows XP. MBSA can scan for security vulnerabilities on computers that run Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. MBSA scans for common security misconfigurations in Windows, Internet Information Services (IIS), SQL Server, Internet Explorer, and Microsoft Office. MBSA also scans for missing security updates in Windows, IIS, SQL Server, Internet Explorer, Windows Media Player, Exchange Server, Microsoft Data Access Components (MDAC), Microsoft XML (MSXML), Microsoft virtual machine (VM), Content Management Server, Commerce Server, BizTalk Server, Host Integration Server, and Office (local scans only). A graphical user interface (GUI) and command-line interface are available in version 1.2.1.

MBSA replaced the stand-alone HFNetChk tool and fully exposes all HFNetChk switches in the MBSA command-line interface (Mbsacli.exe). For additional information about MBSA, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx

Download Information
English, French, German, and Japanese versions of MBSA are available from the Microsoft Download Center. Visit the following the MBSA Web page for direct links to download these versions:

http://www.microsoft.com/technet/security/tools/mbsahome.mspx#XSLTsection124121120120

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to obtain Microsoft support files from online services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

<div class="moreinformation_section">

How to Use MBSA
To run the GUI version of MBSA, start Mbsa.exe from the folder where the tool was installed. To run the command-line version, type the following command at a command prompt (from the folder where the tool was installed), and then press ENTER:

mbsacli.exe

System and Language Applicability
You can run MBSA version 1.2.1 on computers that run Windows Server 2003, Windows 2000, or Windows XP. MBSA can scan computers that run Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. A Windows XP Home Edition computer cannot be scanned remotely. A Windows XP Professional computer can be scanned remotely if it is joined to a domain. If not joined to a domain, a Windows XP Professional computer can be scanned remotely only after the Local Security Setting is set to Classic – local users authenticate as themselves and simple file sharing is disabled.

For additional information about simple file sharing, click the following article number to view the article in the Microsoft Knowledge Base:

304040 How to configure file sharing in Windows XP

MBSA cannot be used to scan computers that run Microsoft Windows 95, Windows 98, or Windows Millennium Edition.

MBSA 1.2.1 is localized for English, Japanese, German, and French.

System Requirements
The following list describes the system requirements to scan a local computer:
 * Windows Server 2003, Windows 2000, or Windows XP.
 * Internet Explorer 5.01 or later.
 * An XML parser is required for the tool to function correctly. Microsoft recommends that you use the most recent version of the MSXML parser. See the notes later in this article about how to obtain an XML parser separately. On Windows 2000 systems that do not have MSXML 3.0 or later installed, Setup does not continue until the user installs the latest MSXML parser.
 * The Workstation service and the Server service must be running.
 * You must have the World Wide Web Service to perform local IIS administrative vulnerability checks.

The following list describes the system requirements for a computer that is running the tool and scanning remote computers:
 * Windows Server 2003, Windows 2000, or Windows XP.
 * Internet Explorer 5.01 or later.
 * An XML parser is required for the tool to function correctly. Microsoft recommends that you use the most recent version of the MSXML parser. See the notes later in this article for information about how to obtain an XML parser separately. On Windows 2000 systems that do not have MSXML 3.0 or later installed, Setup does not continue until the user installs the latest MSXML parser.
 * The IIS Common Files are required on the computer where the tool is installed to perform remote scans of IIS computers.

Note The IIS 6.0 Common Files are required on the local machine when you remotely scan an IIS 6.0 server.
 * The Workstation service and Client for Microsoft Networks are turned on.

The following list describes the system requirements for the computer you want to scan remotely by using the tool:
 * Windows NT 4.0 Service Pack 4 (SP4) and later, Windows 2000, Windows XP (local scans only on Windows XP-based computers that use simple file sharing), or Windows Server 2003.
 * IIS 4.0, 5.0, 5.1 or 6.0 (to perform IIS vulnerability checks).
 * Internet Explorer 5.01 or later (to perform Internet Explorer security zones checks).
 * SQL 7.0, 2000 (to perform SQL vulnerability checks).
 * Office 2000, Office XP, or Office 2003 (to perform Office vulnerability checks).
 * The following services must be installed: Server service, Remote Registry service, File and Print Sharing.

Users who perform the scan must have local administrative credentials on each computer that they want to scan, regardless whether they perform a local scan or a remote scan. For remote scans, the administrative shares must be enabled on the scanned computer for MBSA to successfully connect and perform the scan.

You must have Internet access to download the Mssecure.cab file from the Microsoft Download Center. Mssecure.cab is used for the security updates scan. If a previous copy of the Mssecure.cab file was downloaded during a prior scan, MBSA will try to use the locally cached copy if an Internet connection is not detected.

How to obtain the MSXML parser
XML parsers have shipped in Internet Explorer 5.01 and later. However, Microsoft recommends that you use the latest version of Internet Explorer and the latest version of the MSXML parser. To download the latest version of the MSXML parser, visit the following Microsoft Web site:

http://go.microsoft.com/fwlink/?LinkId=16533

MBSA Scanning Options
The following parts of a scan are optional. You can turn them off in the GUI or command-line interface before you scan a computer:
 * Windows operating system checks
 * IIS checks
 * SQL checks
 * Security update checks
 * Password checks

MBSA Command-Line Options
There are two types of scans that you can perform by using the MBSA command-line interface: MBSA-style scans and HFNetChk-style scans.

MBSA-Style Scans
Like MBSA V1.1.1, the MBSA-style scan stores results, in individual XML files to later be viewed in the MBSA GUI. MBSA-style scans include the full set of available Windows, IIS, SQL, Desktop Application, and security update checks.

Note To perform a scan with the same options as the MBSA GUI, users must explicitly use the /nosum switch.

To run the tool from the command line (from the MBSA installation folder), type mbsacli.exe, and use the following parameters.

mbsacli [/c|/i|/r|/d | | ] [/n  ] [/sus  | ] [/s  ] [/nosum] [/nvc] [/o  ] [/e] [/l] [/ls] [/lr  ] [/ld  ] [/v] [/?] [/qp] [/qe] [/qr] [/q] [/f] [/unicode]

To Select Which Computer to Scan

 * no option - Scan the local computer.
 * /c \ - Scan the named computer.
 * /i  - Scan the specified IP address.
 * /r  -   - Scan the specified range of IP addresses.
 * /d  - Scan the named domain.

To Select Which Scan Options to Not Perform
Note You can concatenate these options. For example, you can use /n OS + IIS + Updates to skip IIS, Windows, and security update checks.
 * /n IIS - Skip IIS checks.
 * /n OS - Skip Windows operating system checks.

Note When you use this switch, Internet Explorer and Outlook security zones and Office macro security checks are also skipped.
 * /n Password - Skip password checks.
 * /n SQL - Skip SQL checks.
 * /n Updates - Skip security update checks.

Security Update Scan Options
<ul> <li>/sus  |   - Check only for security updates that are approved at the specified SUS server, or at the file path of the Approveditems.txt file. Use one of the following options with the /sus switch: <ul> <li>The URL for the SUS Server. For example, http://server.</li> <li>The URL or UNC path of the Approveditems.txt file. For example, http://server/Approveditems.txt.</li></ul>

Note If a URL or path is not specified, the value stored in the registry of the client computer is used (if available). This registry value may be specified by the network administrator through Group Policy.</li> <li>/s 1 - Suppress security update check note messages.</li> <li>/s 2 - Suppress security update check note and warning messages.</li> <li>/s 3 - Suppress warnings except for service packs.</li> <li>/nosum - Security update checks will not test file checksums.</li></ul>

To Specify the Output File Name Template

 * /o  By default, the output filename uses the format   -.

To Display the Results and Details

 * /e - List the errors from the latest scan.
 * /l - List all the reports that are available.
 * /ls - List the reports from the latest scan.
 * /lr  - Display an overview report.
 * /ld  - Display a detailed report.
 * /v – Display security update reason codes.

Miscellaneous Options

 * /? - Usage help.
 * /qp - Do not display progress.
 * /qe - Do not display error list.
 * /qr - Do not display report list.
 * /q - Do not display progress, error list, or report list.
 * /f - Redirect the output to a file.
 * /unicode – Generate unicode output. If you run a Japanese version of MBSA, or scan computers that run Japanese versions of Windows, it is a good idea to specify this switch.

HFNetChk-Style Scans
Like the stand-alone HFNetChk tool, the HFNetChk-style scan checks for missing security updates and displays scan results as text in the command-line window. To perform an HFNetChk-style scan with MBSA version 1.2.1, use the /hf flag with Mbsacli.exe.

Note To perform a scan with the same options as the MBSA GUI by using the /hf switch, you must explicitly use the -b, -v, and –nosum switches (description of switches below).

Note You cannot combine the MBSA-style scan parameters that are listed earlier with the /hfswitch option.

To run the tool from the command line (from the MBSA installation folder), type mbsacli.exe /hf, followed by one or more of the parameters that are listed later in this article.

Switches available with /hf flag
mbsacli /hf [-h ] [-fh  ] [-i  ] [-fip  ] [-r  ] [-d  ] [-n] [-sus  | ] [-fq  ] [-s 1] [-s 2] [-nosum] [-sum] [-z] [-v] [-history  ] [-nvc] [-o  ] [-f  ] [-unicode] [-t] [-u  ] [-p  ] [-x] [-?]

To Select Which Computer to Scan

 * -h  - Scans the named NetBIOS computer name. The default location is the local host. To scan multiple hosts, separate the host names with a comma.
 * -fh  - Scans the NetBIOS computer names that are specified in the text file that you named. Specify one computer name on each line in the .txt file, to a maximum of 128 names.
 * -i  - Scans the named IP address. To scan multiple IP addresses, separate each IP address with a comma.
 * -fip  - Scans the IP addresses that you specified in the text file that you named. Specify one IP address on each line in the .txt file, with a maximum of 256 IP addresses.
 * -r  -   - Scans a specified range of IP addresses.

Note You can use the previous switches in combination. For example, you can use a command-line with the following format: mbsacli /hf –h,  -i   -fip   -r  -
 * -d  - Scans a specified domain.
 * -n - Scans all the computers on the local network. All computers from all domains in Network Neighborhood (or My Network Places) are scanned

To Specify Which Scan Options to Perform or Display
<ul> <li>-sus |  or -sus   - Check only for security updates approved at the specified URL of the SUS server, or at the file path of the specified Approveditems.txt file. If a URL or path is not specified, the value stored in the registry on the client computer will be used.</li> <li>-fq  - Specifies the name of a file that contains the Qnumbers that you want to suppress on the output. Specify one Qnumber per line. This switch only prevents the specified items from appearing in the output; it does not remove the items from consideration during the course of a scan.</li> <li>-s 1 - Suppress security update check note messages.</li> <li>-s 2 - Suppress security update check note and warning messages.</li> <li>-nosum - Specifies not to perform checksum validation for the security update files. Typically, you do not require this switch.</li> <li>-sum - Forces a checksum scan when you scan a non-English language computer. Use this switch only if you have a custom XML file with language-specific checksums.</li> <li>-z - Specifies not to perform registry checks.

Note When you use this switch with –history, registry checks will still be performed for those patches that only have registry key data and no file version information in the Mssecure.xml file.</li> <li>-v - Displays the reason why a test did not work in wrap mode. You can use this switch to display the reason why a security update is considered &quot;not found&quot; or if you receive a NOTE or WARNING message.</li> <li>-history [ ] - Displays updates that have been explicitly installed, explicitly not installed, or both. Typically, you do not require this switch. However, you may require it under very specific circumstances. You have the following options with this switch: <ul> <li>1 - Displays those updates that have been explicitly installed.</li> <li>2 - Displays those updates that have been explicitly not installed.</li> <li>3 - Displays those updates that have explicitly been installed and not installed.</li></ul>

For example, use –history 1 to displays those updates that have been explicitly installed.</li> <li>-nvc – Do not look for a new version of MBSA.</li></ul>

To Specify Output Format and File Names

 * -o [ ] - Specifies the output format that you want. You have the following options with this switch:
 * tab - Displays output in tab-delimited format.
 * wrap - Displays output in word-wrapped format.
 * -f  - Specifies the name of a file where you want to store the results. You can use the switch in both wrap and tab output.
 * -unicode – Generate unicode output. If you run a Japanese version of MBSA, or scan computers that run Japanese versions of Windows, it is a good idea to specify this switch.

Miscellaneous Options

 * -t - Displays the number of threads that are used to run the scan. By default, the value is 64, but possible values are 1 to 128. You can use this switch to increase or reduce the scanner speed.
 * -u  - Specifies the user name to use when scanning a local or remote computer or groups of computers. You must use this switch with the -p (password) switch.
 * -p  - Specifies the password to use when scanning a local or remote computer or groups of computers. You must use this switch with the -u (username) switch. For security reasons, the password is not sent over the network in clear text. Instead, HFNetChk uses the challenge-response mechanism that is built into Windows NT 4.0 and later to secure the authentication process.
 * -x - Specifies the XML data source that contains the available security update information. The location may be an XML file name, a compressed XML .cab file, or a URL. The default file is the Mssecure.cab file from the Microsoft Web site. If you do not use this switch, the Mssecure.xml file downloads from the Microsoft Web site.
 * -? - Displays a menu. You can also call this switch by using the /? syntax. The menu also appears every time that you type incorrect syntax at a command prompt.

Detecting Updates
Microsoft Baseline Security Analyzer (MBSA) version 1.2.1 changes how updates are detected. Additionally, because of better detection capabilities in MBSA version 1.2.1, some updates may be reported as &quot;Not applicable,&quot; although the updates were reported as &quot;Applicable&quot; in the previous release.

For additional information about the differences between MBSA 1.1.1 and MBSA 1.2.1, click the following article number to view the article in the Microsoft Knowledge Base:

306460 Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates

Scan Reports
Scan reports are stored on the computer where the tool is installed in the %userprofile%\SecurityScans folder. An individual security report is created for each computer that is scanned (locally and remotely). Users must use Windows Explorer to rename or delete scans that are created by the tool in this folder.

Security Updates Scan
By default, a security update scan that you carry out from the MBSA GUI or from Mbsacli.exe scans and reports missing updates that Windows Update marks as critical security updates (also known as baseline critical security updates). When you carry out a security update scan from Mbsacli.exe by using the /hf switch, all security-related security updates are scanned and reported on. A user who runs an HFNetChk-style scan must use the -b option to scan only for Windows Update critical security updates.

Password Checks
The password checks can add a lot of time to a scan, depending on the computer role and the number of user accounts on the computer. Additionally, attempts to check individual accounts for weak passwords can add Security log entries (logon or logoff events) if auditing is enabled on the computer. MBSA resets any account lockout policies that are detected on the computer so that no individual user accounts are locked out during the password check. This check is not performed on domain controllers.

If you do not select this option before you scan a computer, both the local Windows and SQL account password checks will not be performed.

IIS Checks
The IIS 6.0 Common Files are required on the local machine that is used to remotely scan an IIS 6.0 server. The IIS 6.0 Common Files can be used to also scan earlier versions of IIS machines (for example, IIS 5.0). However, the IIS 5.0 Common Files cannot be used to remotely connect to and scan a computer that is running IIS 6.0.

SQL Server Checks
The tool checks for vulnerabilities on each instance of SQL Server that it finds on the computer. It performs all the individual SQL checks on each instance.

Localized Windows Builds
MBSA version 1.2.1 can scan English, German, French, and Japanese localized versions of the Windows operating system. This support includes the ability to download localized versions of the Mssecure.xml file from Microsoft. Checksum checks will not be performed when you scan a non-English computer for missing security updates without the associated localized Mssecure.xml file.

Support Options
An MBSA newsgroup has been created for users to post questions and obtain information about tool updates, technical questions, and upcoming versions:
 * News server: Msnews.microsoft.com
 * Newsgroup: Microsoft.public.security.baseline_analyzer

If you are reporting bugs to the newsgroup, include the following information:
 * Operating system and service pack version on the computer that is running the tool.
 * Operating system and service pack version of the computer that is being scanned.
 * Internet Explorer version on the computer that is running the tool.
 * Internet Explorer version on the computer that is being scanned.
 * Version of MBSA. You can locate this information by clicking About Microsoft Baseline Security Analyzer in MBSA.

MBSA was developed for Microsoft by Shavlik Technologies LLC. For additional information about Shavlik Technologies LLC, see the following Shavlik Technologies LLC Web site:

http://www.shavlik.com

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

Error Messages
When you use the Mbsacli /hf tool, you may receive any one of the following error messages. The following list describes the error messages and how to resolve them.

Error: 200 - System not found. Scan not performed.

This error message indicates that Mbsacli /hf did not locate the specified computer and did not scan it. To resolve this error, verify that this computer is on the network and that the host name and IP address are correct.

Error: 201 - System not found.

You may receive this error message if a network problem prevents Mbsacli from scanning the specified computer. To resolve this error, verify that your computer (the computer that performs the scan) is correctly connected to the network and that you can remotely log on to the specified computer you want to scan.

Error: 202 - System not found. Scan not performed.

You receive this error message because a network or computer error occurred during the scan. To resolve this error, verify that your scanning computer is correctly connected to the network and that the computer you are scanning is still connected to the network. Additionally, make sure that the remote computer is running the Server service.

Error: 230 - Scan not performed.

You receive this error message because a general network error occurred. See your computer documentation for more information.

Error: 235 - System not found, or NetBIOS ports may be firewalled. Scan not performed.

You may receive this error message if no computer has the specified IP address. If there is a computer at this address, a personal firewall or port filtering device may be dropping packets that are going to TCP ports 139 and 445.

Error: 261 - System found but it is not listening on NetBIOS ports. Scan not performed.

You receive this error message because there is a computer at this IP address, but it is either not listening or is blocking access to TCP ports 139 and 445.

Error: 301 - SystemRoot share access required to scan. Unable to connect to the remote machine’s system share.

You may receive this error message if the administrator has unshared the systemroot (typically C$ or similar) or has disabled the AutoShareServer(Wks) by using the registry.

Error: 451 - Admin rights are required to scan. Scan not performed.

You receive this error message because the current or specified user account that performs the scan does not have administrative credentials for the computer that the user is scanning. To resolve this error, verify that the specified account is a member of the local administrators group on the computer you want to scan (or a member of a group that has local administrative credentials).

Error: 452 - HFNetChk is unable to scan this computer. Please check to see that you have administrative rights to this machine and are able to login to this machine from your workstation. Scan not performed.

To resolve this error, verify that the Server service is enabled on the remote computer and that you can remotely log on to that computer. Additionally, make sure that the Workstation service is running on the computer that performs the scan.

Error: 501 - Remote registry access denied. Scan not performed.

To resolve this error, verify that the Remote Registry service is enabled on the computer you want to scan.

Error: 502 - Scan not performed. Error reading Registry.

You receive this error message because a general registry error occurred. See your computer documentation for more information.

Error: 503 - Scan not performed. Error reading Registry.

You receive this error message because a general registry error has occurred. There is no additional information that is available about this error message.

Error: 553 - Unable to read registry. Please ensure that the remote registry service is running. Scan not performed.

To resolve this error message, verify that the Remote Registry service is enabled on the computer that you want to scan.

Error: 621 - Machine is not one of Windows (NT 4, 2000, XP or .NET). Scan not performed.

The computer that you want to scan runs an operating system that the tool does not support. The computer that you want to scan may run a non-Microsoft operating system that is running SMB services, or it may emulate a Microsoft product in some other way.

Error: 622 - Machine OS is not Recognized. Please run with tracing on and send to technical support. Scan not performed. Unable to determine the Operating System of the specified machine.

You may receive this error message when you scan beta or unreleased versions of Microsoft operating systems.

Error: 623 - Machine Service pack is not Recognized. Please run with tracing on and send to technical support. Scan not performed. Unable to determine the Service Pack of the specified machine.

You may receive this error message if you scan beta or unreleased versions of Microsoft service packs.

Error: 701 - File http://download.microsoft.com/download/xml/security/1.0/NT5/EN-US/mssecure.cab was NOT downloaded. The signed, compressed .cab file containing the security patch information could not be obtained from the specified location.

You may receive this error message if the computer that is performing the scan is not connected to a network or cannot access the specified file or location.

Keywords: atdownload kbenv kberrmsg kbinfo KB320454

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.