Initial setup and configuration

This section is intended for administrators who are using a startup script or a logon script to deploy this tool. To configure the server and the share, follow these steps:

1. Create a folder that is named "BIN" under the folder that represents the Netlogon share on your domain controller. For example, create the BIN folder under the following folder:

   %WINDIR%\SYSVOL\sysvol\UserDNSDomain\scripts

2. Download the Windows XP Service Pack 2 Support Tools, extract the Filever.exe tool, and then copy this tool into the BIN folder that you created in step 1.
   
   The Filever.exe tool is included with the Windows XP Service Pack 2 Support Tools. To obtain the Windows XP Service Pack 2 Support Tools, visit the following Microsoft Web site:

   http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en

   For more information about the Filever.exe tool, visit the following Microsoft Web site:

   http://technet2.microsoft.com/windowsserver/en/library/1a9f06ba-ba52-49e7-baf3-5352cfd828991033.mspx?mfr=true

   For more information about the Filever.exe tool, click the following article number to view the article in the Microsoft Knowledge Base:

   913111 How to use the Filever.exe tool to obtain specific information about a file in Windows

3. Download the Getver.exe tool, extract the tool, and then copy it to the BIN folder that you created in step 1.
   
   The Getver.exe tool is included with the Microsoft Product Support Reporting Tool v5.2.2004.1. To obtain the Microsoft Product Support Reporting Tool v5.2.2004.1, visit the following Microsoft Web site:

   http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_SETUPPerf.exe

   To extract the Getver.exe tool, use the /C switch as follows:

   MPSRPT_SETUPPerf.exe /C

4. Download the version of Windows Live Messenger that is associated with the client base:
   • For Windows XP and later operating systems, download Windows Live Messenger 8.1.0178. To do this, visit the following Microsoft Web site:

     http://www.microsoft.com/downloads/details.aspx?FamilyID=d78f2ff1-79ea-4066-8ba0-ddbed94864fc&DisplayLang=en

   • For Windows 2000-based systems, download MSN Messenger 7.0.0820. To do this, visit the following Microsoft Web site:

     http://www.microsoft.com/downloads/details.aspx?FamilyID=cf49c56c-8b3e-4eae-9904-9505f47bed45&displaylang=en

5. Run the installation package by using the /C switch to extract the MsnMsgs.msi file, and then copy the file to the BIN folder that you created in step 1.
   
   Note If both packages are required, you must rename the MSN Messenger 7 installation file as "MsnMsgs7.msi." You must make this change because both installer files use the same name.
   
6. Designate a collection server to be used to deposit the log files that are created by the scripts that are referenced in this article.
7. Create a share that is named "LOGS" on the collection server. Then, apply the following permissions:
   1. Add the domain user account for the user who is managing this share, and then click Full Control.
   2. If you use the computer startup script method, grant the Domain Computers group Modify permissions, Read & Execute permissions, List Folder Contents permissions, Read permissions, and Write permissions.
   3. If you use the logon script method, grant the Authenticated Users group Modify permissions, Read & Execute permissions, List Folder Contents permissions, Read permissions, and Write permissions.

Usage

The MSNMsgrTest.bat file can be used to determine whether a vulnerable version of the Msnmsgr.exe file is installed in Windows 2000, in Windows XP, in Windows Server 2003, or in Windows Vista.

The script does the following:

• Determines whether the vulnerable version of the Msnmsgr.exe file is installed on the system
• Outputs results to the screen
• Outputs results to the following comma-delimited log file:

  MSNMsgrTest_Results.csv

• Logs the computer name, the operating system (OS) version, the Msnmsgr.exe file version, the vulnerability status, and the date-and-time of the scan

Code example

The script and the steps that are provided here are intended only as examples. Make sure that you test these scripts and these steps, and then modify them appropriately to work in your specific environments. For example, you must change the server name and the share name according to the setup parameters in your environment.

@echo off
REM: MSNMsgrTest.bat to determine whether a vulnerable version of Msnmsgr.exe is installed in Windows 2000, in Windows XP, in 
Windows Server 2003, or in Windows Vista.
REM: Output is displayed on the screen and is saved to a comma-delimited output log file: MSNMsgrTest_Results.csv.
REM: This batch file script requires Filever.exe.

Set STDOUTPUT=YES

REM: Remove the "REM:" in the following line to suppress output to the screen (and to log only to the output log file).
REM: Set STDOUTPUT=NO


REM: Edit the "Set OutputLog" line to change the location of the Output log file.
REM: For example: Set OutputLog=\\Server_name\share\MSNMsgrTest_Results.csv.
Set OutputLog=MSNMsgrTest_Results.csv


REM: If the output .csv file already exists, skip the addition of header information.
if exist %OutputLog% GOTO RUNTEST

REM: Add header information to the output .csv file.
echo Computername,OS Version,Msnmsgr.exe Fileversion,Vulnerable? (YES/NO),MS07-054 Status,Scan Date - Time > %OutputLog%
echo ====================,==========================================,======================,====================,====================,============================ >> %OutputLog%

:RUNTEST
REM: Determine OS version.

FOR /F "skip=1 tokens=*" %%a in ('ver') do SET OSVEROUT=%%a
FOR /f "tokens=3 delims=n" %%b in ("%OSVEROUT%") do set OSVER=%%b

REM: Determine processor architecture.
if exist "%ProgramFiles(x86)%" GOTO X64
if exist "%ProgramFiles%" GOTO X86

GOTO x86

:X64
REM: Determine the version of Msnmsgr.exe on x64 systems.
if not exist "%ProgramFiles(x86)%\msn messenger\msnmsgr.exe" GOTO NOTFOUND
FOR /F "tokens=*" %%i in ('filever.exe "%ProgramFiles(x86)%\msn messenger\msnmsgr.exe"') do SET FILEVEROUT=%%i 
FOR /f "tokens=5 delims= " %%i in ("%FILEVEROUT%") do set MSNVer=%%i
GOTO TESTOSVER

:X86
REM: Determine the version of Msnmsgr.exe on x86 systems.
if not exist "%ProgramFiles%\msn messenger\msnmsgr.exe" GOTO NOTFOUND
FOR /F "tokens=*" %%i in ('filever.exe "%ProgramFiles%\msn messenger\msnmsgr.exe"') do SET FILEVEROUT=%%i 
FOR /f "tokens=5 delims= " %%i in ("%FILEVEROUT%") do set MSNVer=%%i
GOTO TESTOSVER

:NOTFOUND
Echo  %Computername%,%OSVEROUT%,File Not Found,NO,Not Required,%date% - %time% >> %OutputLog%
if (%STDOUTPUT%)==(NO) GOTO END
Echo Computername:      %Computername%
Echo OS Version:        %OSVEROUT%
Echo msnmsgr version:   Msnmsgr.exe Not Found
Echo Status:        Security update MS07-054 not required...
echo Results Output:        Saved to file: %OutputLog%
echo.
echo.
echo.
pause
GOTO END

:TESTOSVER
REM: Test whether the OS version is Windows 2000 ("downlevel") or Windows XP or a later version ("uplevel").
if %OSVer% GEQ 5.1 GOTO TESTVER_UPLEVEL
if %OSVer% LSS 5.1 GOTO TESTVER_DOWNLEVEL

:TESTVER_UPLEVEL
REM: Test for vulnerable version of Msnmsgr.exe in Windows XP, in Windows Server 2003, and in Windows Vista.
if %MSNVer% LSS 8.1 GOTO LESSER
if %MSNVer% GEQ 8.1 GOTO GREATER

:TESTVER_DOWNLEVEL
REM: Test for vulnerable version of Msnmsgr.exe in Windows 2000.
if %MSNVer% LSS 7.0.0820 GOTO LESSER
if %MSNVer% GEQ 7.0.0820 GOTO GREATER

:LESSER
Echo  %Computername%,%OSVEROUT%,%MSNVer%,YES,MS07-054 Required,%date% - %time% >> %OutputLog%
if (%STDOUTPUT%)==(NO) GOTO END
Echo Computername:      %Computername%
Echo OS Version:        %OSVEROUT%
Echo msnmsgr version:   %MSNVer% (Vulnerable!)
Echo Status:        Security update MS07-054 required...
echo Results Output:        Saved to file: %OutputLog%
echo.
echo.
echo.
pause
GOTO END

:GREATER
Echo  %Computername%,%OSVEROUT%,%MSNVer%,NO,Not Required,%date% - %time% >> %OutputLog%
if (%STDOUTPUT%)==(NO) GOTO END
Echo Computername:      %Computername%
Echo OS Version:        %OSVEROUT%
Echo msnmsgr version:   %MSNVer% (Not Vulnerable)
Echo Status:        Security update MS07-054 Not required...
echo Results Output:        Saved to file: %OutputLog%
echo.
echo.
echo.
pause
GOTO END

:END
exit

Use a Group Policy-based computer startup script to determine whether the updated version of either MSN Messenger or Windows Live Messenger is installed

This method requires that you restart the client computer after you set up the script and after you apply the Group Policy setting.

1. Set up the shares. To do this, follow the steps in the "Initial setup and configuration" section.
2. Set up the startup script. To do this, follow these steps:
   1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
   2. Click the Group Policy tab, click New to create a new Group Policy object (GPO), and then type MSNMGR Detection for the name of the policy.
   3. Click the new policy, and then click Edit.
   4. Expand Windows Settings for Computer Configuration, and then click Scripts (Startup/Shutdown).
   5. Double-click Startup, and then click Add. The Add a Script dialog box appears.
   6. In the Script Name box, type \\%USERDOMAIN%\netlogon\bin\MSNMsgrTest.bat.
   7. Click OK, and then click Apply.
3. Restart the client computers that are members of this domain.

Use a Group Policy-based user logon script to determine whether the updated version of either MSN Messenger or Windows Live Messenger is installed

This method requires that the logon user account is a domain account and that this account is a member of the local administrator's group on the client computer.

1. Set up the shares. To do this, follow the steps in the "Initial setup and configuration" section.
2. Set up the logon script. To do this, follow these steps:
   1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
   2. Click the Group Policy tab, click New to create a new Group Policy object (GPO), and then type MSNMGR Detection for the name of the policy.
   3. Click the new policy, and then click Edit.
   4. Expand Windows Settings for User Configuration, and then click Scripts (Logon/Logoff).
   5. Double-click Logon, and then click Add. The Add a Script dialog box appears.
   6. In the Script Name box, type \\%USERDOMAIN%\netlogon\bin\MSNMsgrTest.bat.
   7. Click OK, and then click Apply.
3. Restart the client computers that are members of this domain.

In a situation that involves a logon script, the scripts and the tools will run under the context of the logged-on user. If this user does not belong to the local administrators group, or if this user does not have sufficient permissions, the tool will not run. Additionally, the tool will not return the appropriate return code. For more information about how to use startup scripts and logon scripts, click the following article numbers to view the articles in the Microsoft Knowledge Base:

Results output

By default, the MSNMsgrTest.bat script displays a results output when it is executed. This output includes details such as the computer name, the operating system version, the Msnmsgr.exe file version, and the vulnerability status of the destination computer.

The following are samples of the various outputs you might see on the screen:

• …If a vulnerable version of Msnmsgr.exe is found on the destination computer:

  Computer name:      COMPUTER-789
  OS Version:     Microsoft Windows [Version 5.2.3790]
  manmsgr version:    7.0.816.0 <Vulnerable!>
  Status:         Security update MS07-054 required...
  Results Output:     Save to file: \\gc-xp\c$\MSNMsgrTest_Results.csv
  
  Press any key to continue . . .

• …If the version of Msnmsgr.exe if not vulnerable:

  Computer name:       COMPUTER-456
  OS Version:     Microsoft Windows [Version 5.1.2600]
  manmsgr version:    8.1.178.0  <Not Vulnerable>
  Status:         Security update MS07-054 Not required...
  Results Output:     Save to file: \\gc-xp\c$\MSNMsgrTest_Results.csv
  
  Press any key to continue . . .

• … If Msnmsgr.exe is not found on the system in its installed location:

  Computer name:      COMPUTER-123
  OS Version:     Microsoft Windows [Version 5.2.3790]
  manmsgr version:    Msnmsgr.exe Not Found
  Status:         Security update MS07-054 not required...
  Results Output:     Save to file: \\gc-xp\c$\MSNMsgrTest_Results.csv
  
  Press any key to continue . . .

Note In most enterprise environments, you will want to suppress this output screen. You will want to output the findings to only a single location on a network share.

If you do not want to see any local output on the screen, edit the script to make the following change:

Delete "REM" from the following line in the script:

REM: Set STDOUT=N

Change this line to the following:

Set STDOUT=N

CSV log file output

By default, the script creates a comma-delimited output log file that is named "MSNMsgrTest_Results.csv" in the same location from which the batch script is run.

For an enterprise environment, where multiple computers are being scanned, you will want all scan result to be logged to a single output log that is located on a share. Make sure that this share can be accessed by all users or by all destination computers. If you want to customize the location of the output log file, edit the script to specify the location. For example, edit the following line in the script to customize the name and the location of the output log file:

Set OutputLog=MSNMsgrTest_Results.csv

For example, you might edit this line in one of the following ways:

Set OutputLog=\\Server_name\share\MSNMsgrTest_Results.csv

Set OutputLog=C:\TEMP\MSNMsgrTest_Results.csv

Set OutputLog=%systemdrive%\MSNMsgrTest_Results.csv

The following is a sample of the MSNMsgrTest_Results.csv output .csv file, where multiple destination computers have logged test results to a single log file. The output is comma delimited, and it can be opened and sorted by using any spreadsheet program, such as Microsoft Office Excel.

MSNUpdate.bat script

The MSNUpdate.bat script in this section can be used to do the following:

• Detect vulnerable versions of MSN Messenger and of Windows Live Messenger
• Deploy the MS07-054 security update

Usage

Before you implement the MSNUpdate.bat script, make sure that the following conditions are true:

• A share that is named "bin" has been created under the default Netlogon share on your domain controller.
• The MsnMsgs.msi file, the MsnMsgs7.msi file, and the Getver.exe file have been saved on the bin share.

Code example

REM In this example, the script is named MSNUpdate.bat.
REM Create a share that is named "bin" under the default Netlogon share on your domain controller.
REM Use the share "bin" to hold the files: Getver.exe, MsnMsgs.msi, MsnMsgs7.msi.
REM and any other support tools that are used in the script.

If exist "%ProgramFiles%\MSN Messenger" GOTO WHATOS
If not exist "%ProgramFiles%\MSN Messenger" GOTO END

:WHATOS

\\%USERDOMAIN%\netlogon\bin\GETVER.EXE

IF %ERRORLEVEL% LEQ 50 GOTO UPDATE_MSN7x
IF %ERRORLEVEL% GEQ 51 GOTO UPDATE_MSN81


:UPDATE_MSN81

If exist "%WINDIR%\Installer\MSN Messenger 8.1.0178" goto End
If not exist "%WINDIR%\Installer\MSN Messenger 8.1.0178" goto MSN81

:MSN81
Start /wait \\%USERDOMAIN%\netlogon\bin\MsnMsgs.Msi /quiet

GOTO UPDATED

:UPDATED

echo "MSN has been updated on %computername%" > \\%COLLECTIONSERVER%\logs\%computername%_updated.log

GOTO END

:UPDATE_MSN7x

If exist "%WINDIR%\Installer\MSN Messenger 7.0.0820" goto End
If not exist "%WINDIR%\Installer\MSN Messenger 7.0.0820" goto MSN81

:MSN7x
Start /wait \\%USERDOMAIN%\netlogon\bin\MsnMsgs7.Msi /quiet

GOTO UPDATED

:UPDATED

echo "MSN has been updated on %computername%" > \\%COLLECTIONSERVER%\logs\%computername%_updated.log

:End

Use a Group Policy-based computer startup script to update either MSN Messenger or Windows Live Messenger to MS07-054

This method requires that you restart the client computer after you set up the script and after you apply the Group Policy setting.

1. Set up the shares. To do this, follow the steps in the "Initial setup and configuration" section.
2. Set up the startup script. To do this, follow these steps:
   1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
   2. Click the Group Policy tab, click New to create a new Group Policy object (GPO), and then type MSNMGR Deployment for the name of the policy.
   3. Click the new policy, and then click Edit.
   4. Expand Windows Settings for Computer Configuration, and then click Scripts (Startup/Shutdown).
   5. Double-click Startup, and then click Add. The Add a Script dialog box appears.
   6. In the Script Name box, type \\%USERDOMAIN%\netlogon\bin\MSNUpdate.bat.
   7. Click OK, and then click Apply.
3. Restart the client computers that are members of this domain.

Use a Group Policy-based user logon script to update either MSN Messenger or Windows Live Messenger to MS07-054

This method requires that the logon user account is a domain account and that this account is a member of the local administrator's group on the client computer.

1. Set up the shares. To do this, follow the steps in the "Initial setup and configuration" section.
2. Set up the logon script. To do this, follow these steps:
   1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
   2. Click the Group Policy tab, click New to create a new Group Policy object (GPO), and then type MSNMGR Deployment for the name of the policy.
   3. Click the new policy, and then click Edit.
   4. Expand Windows Settings for User Configuration, and then click Scripts (Logon/Logoff).
   5. Double-click Logon, and then click Add. The Add a Script dialog box appears.
   6. In the Script Name box, type \\%USERDOMAIN%\netlogon\bin\MSNUpdate.bat.
   7. Click OK, and then click Apply.
3. Restart the client computers that are members of this domain.

In a situation that involves a logon script, the scripts and the tools will run under the context of the logged-on user. If this user does not belong to the local administrators group, or if this user does not have sufficient permissions, the tool will not run. Additionally, the tool will not return the appropriate return code. For more information about how to use startup scripts and logon scripts, click the following article numbers to view the articles in the Microsoft Knowledge Base: