MS04-28 Enterprise Update Scanning Tool options

The MS04-28 Enterprise Update Scanning Tool provides the following options.

• Scanning only: This option scans for missing updates that pertain to MS04-028 and writes the results to log files.
• Scanning and deployment: This option scans for missing updates that pertain to MS04-028 and also installs the missing updates. This option also writes the results to log files.

Scanning and deployment methods

The MS04-028 Enterprise Update Scanning Tool can be implemented to scan and deploy missing updates for MS04-028 by using any one of the following methods:

• Computer startup script method
• User logon script method
• Manually initiated method by using a local folder or a remote share

back to the top

Computer startup script method

This method enables the scanning tool to run at computer startup. This method will only work in an Active Directory domain environment. Windows NT 4.0 Server-based computers cannot use the computer startup script method.

Scanning only

If you want to detect missing updates for MS04-028 by using the computer startup script method, follow these steps:

1. Complete the steps in the Initial setup and configuration section.
2. Set up a startup script. To do this, follow these steps:
   1. In the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in, right-click the domain name, and then click Properties.
   2. Click the Group Policy tab.
   3. Click Default Domain Policy, and then click Edit.
   4. Expand Computer Configuration, expand Windows Settings, and then click Scripts.
   5. Double-click Startup, and then click Add. The Add a Script dialog box appears.
   6. In the Script Name box, type wscript.exe.
   7. In the Script Parameters box, type //B \\ServerName\UpdateStore\UpdateInstall.vbs.
   8. Click OK, and then click Apply.
3. To perform a scan on a client computer, restart the client computer that is a member of the domain.
4. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.

Scanning and deployment

If you want to detect and install missing updates for MS04-028 by using the computer startup script method, follow these steps:

1. Complete the steps in the Initial setup and configuration section.
2. Continue with the server setup. To do this, go to the Configure a server for deployment section.
3. Set up a startup script. To do this, follow these steps:
   1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
   2. Click the Group Policy tab.
   3. Click Default Domain Policy, and then click Edit.
   4. Expand Windows Settings for Computer Configuration, and then click Scripts.
   5. Double-click Startup, and then click Add. The Add a Script dialog box appears.
   6. In the Script Name box, type wscript.exe.
   7. In the Script Parameters box, type //B \\ServerName\UpdateStore\UpdateInstall.vbs /Install.
   8. Click OK, and then click Apply.
4. To perform a scan and deployment on a client computer, restart the client computer that is a member of the domain.
5. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.

back to the top

Logon script method

Important Do not use the logon script method on Terminal Server-based computers. Multiple instances of the tool that are running at the same time may produce unpredictable results.

Scanning only

If you want to detect missing updates for MS04-028 by using the logon script method, follow these steps:

Note The logon user must have Administrative permissions for the script to run successfully.

1. Complete the steps in the Initial setup and configuration section.
2. Set up a logon script. To do this, follow these steps:
   1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
   2. Click the Group Policy tab.
   3. Click Default Domain Policy, and then click Edit.
   4. Expand Windows Settings for User Configuration, and then click Scripts.
   5. Double-click Logon, and then click Add. The Add a Script dialog box appears.
   6. In the Script Name box, type wscript.exe.
   7. In the Script Parameters box, type //B \\ServerName\UpdateStore\UpdateInstall.vbs.
   8. Click OK, and then click Apply.
3. To perform a scan on a client computer, log off the client computer, and then log back on to the client computer with an administrator account to run the script.
4. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.

Scanning and deployment

If you want to detect and install missing updates for MS04-028 by using the user logon script method, follow these steps:

1. Complete the steps in the Initial setup and configuration section.
2. Continue with the server setup. To do this, go to the Configure a server for deployment section.
3. Set up a logon script. To do this, follow these steps:
   1. In the Active Directory Users and Computers MMC snap-in, right-click the domain name, and then click Properties.
   2. Click the Group Policy tab.
   3. Click Default Domain Policy, and then click Edit.
   4. Expand Windows Settings for User Configuration, and then click Scripts.
   5. Double-click Logon, and then click Add. The Add a Script dialog box appears.
   6. In the Script Name box, type wscript.exe.
   7. In the Script Parameters box, type //B \\ServerName\UpdateStore\UpdateInstall.vbs /Install.
   8. Click OK, and then click Apply.
4. To perform a scan and deployment on a client computer, log off the client computer, and then log back on to the client computer with an administrator account to run the script.
5. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.

back to the top

Manually initiated method

To use the MS04-028 Enterprise Update Scanning Tool, the tool must be run by a user account that is a member of the local Administrators group.

From a local folder

Scanning only

1. Download the MS04-028 Enterprise Update Scanning tool. The following file is available for download from the Microsoft Download Center:
   Download the MS04-028 Enterprise Update Scanning tool, version 2 package now.
2. Run 2006.05.09-v2-EnterpriseScan-x86-EN.exe, and then install it to a local folder.
3. To perform a scan on the local computer, run the following command at a command prompt:

   WScript.exe //B Path\UpdateInstall.vbs

4. To see the results, review the logs in the %windir%\system32\Vpcache\Updatescan folder. For more information, see the Analyze the tool output section.

Scanning and deployment

1. Download the MS04-028 Enterprise Update Scanning tool. The following file is available for download from the Microsoft Download Center:
   Download the MS04-028 Enterprise Update Scanning tool, version 2 package now.
2. Run 2006.05.09-v2-EnterpriseScan-x86-EN.exe, and then install it to a local folder.
3. In the local folder where you extracted the MS04-028 Enterprise Update Scanning Tool, create a folder that is named UpdateStore. In the UpdateStore folder, create a folder that is named Updates.
4. In the Updates folder, create a folder structure to save the updates. Create the folder structure as described in the Configure a server for deployment section. You do not have to create a file share to install updates to a local computer.
5. To perform a scan and install on the local computer, run the following command at a command prompt:

   wscript //b Path\updateinstall.vbs /store Path\updates /install

From a remote share

Scanning only

1. Complete the steps in the Initial setup and configuration section.
2. To perform a scan on the local computer, run the following command at a command prompt:

   WScript.exe //B \\ServerName\UpdateStore\UpdateInstall.vbs

3. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.

Scanning and deployment

1. Complete the steps in the Initial setup and configuration section.
2. Continue with the server setup. For more information, go to the Configure a server for deployment section.
3. To perform a scan and deployment on the local computer, run the following command at a command prompt:

   WScript.exe //B \\ServerName\UpdateStore\UpdateInstall.vbs /Install

4. To see the results, review the logs in the \\ServerName\UpdateStore\Results folder. For more information, see the Analyze the tool output section.

back to the top

Initial setup and configuration

1. Download the MS04-028 Enterprise Update Scanning tool. The following file is available for download from the Microsoft Download Center:
   Download the MS04-028 Enterprise Update Scanning tool, version 2 package now.
2. Configure the server and share. To do this, follow these steps:
   1. Set up a share on a member server, and then name it UpdateStore.
   2. Run 2006.05.09-v2-EnterpriseScan-x86-EN.exe, and install it to the UpdateStore folder.
   3. Configure the following share and NTFS file system (NTFS) permissions:
      • Share permission:
        • Add the domain user account for the user who is managing this share, and then choose Full Control.
        • Remove the Everyone group.
        • If you use the computer startup script method, add the Domain Computers group with Change and Read permissions. If you use the logon script method, add the Authenticated Users group with Change and Read permissions.
      • NTFS permission:
        • Add the domain user account for the user who is managing this share, and then choose Full Control.
        • Remove the Everyone group if it is in the list.
          
          Note If you receive an error message when you remove the Everyone group, click Advanced on the Security tab, and then click to clear the Allow inheritable permissions from parent to propagate to this object check box.
        • If you use the computer startup script method, grant the Domain Computers group Read and Execute, List Folder Contents, and Read permissions.
        • If you use the logon script method, grant the Authenticated Users group Read and Execute, List Folder Contents, and Read permissions.
   4. Create a folder and name it Results under the UpdateStore folder. This is where the final report files will be written to during the scanning process.
   5. Configure the NTFS permissions on the Results folder. To do this, use the following methods:
      
      Note Do not change the Share permissions in this step.
      • Add the domain user account for the user who is managing this share, and then choose Full Control.
      • If you use the computer startup script method, give the Domain Computers group Modify, Read and Execute, List Folder Contents, Read, and Write permissions.
      • If you use the logon script method, give the Authenticated Users group Modify, Read and Execute, List Folder Contents, Read, and Write permissions.
   6. Configure the UpdateInstall.ini file as described in this article.

back to the top

Configure the server for deployments

1. Set up the folder structures that are required by the installer. In the shared folder (UpdateStore) that you created in the Initial setup and configuration section, create the following folder structure:

   - UpdateStore
       \ Result
       - Updates
           - .Net Framework 1.0
               \ 1033
           - .Net Framework 1.1
               \ 0
           + Internet Explorer 6
           - Office
               - 831931
                   \ 0
               + 831932
               + 832332
               + 838344
               + 838345
               + 838905
           - PictureIt! or Digital Image v6
               - 1033
           + PictureIt! or Digital Image v7
           + PictureIt! or Digital Image v9
           + Producer for 2003
           + Visual Studio .NET 2002
           + Visual Studio .NET 2003
           + Windows Server 2003
           - Windows XP
               \ 1033

   
   
   Microsoft has provided a batch file to automatically create the appropriate folder structure. To use the MakeFolders.cmd batch file, create an empty Updates folder, and then run the batch file with the following syntax:

   MakeFolders.cmd PathLocaleID

   Note Path is the path of the Updates folder, and LocaleID is the locale ID (LCID) for the languages that you want to install. For example:

   MakeFolders.cmd c:\UpdateStore\Updates 1033

   You can run the batch file multiple times in the same Updates folder to create as many locale folders as you must have. You may also use the "." relative path syntax to indicate the current working directory. For example, to create a folder structure for U.S. English updates in the current directory, you would run the following command:

   Makefolders.cmd . 1033

   Note that the batch file uses the Cacls.exe command to set permissions on the folders that it creates. Permissions on all files and folders inside Path will be set to Administrators/Full Control and Everyone/Read.
   
   Note After running Makefolders.cmd, you must also rename all the Picture It/Digital Image folder names as noted:

   • PictureIt! or Digital Image v6 to Picture It! or Digital Image v6
   • PictureIt! or Digital Image v7 to Picture It! or Digital Image v7
   • PictureIt! or Digital Image v9 to Picture It! or Digital Image v9
2. The folder structure for the update files is built with the following rules. If you use the batch file to create the folder structure, this process will be automated:
   • The subfolders under the Updates folder are for individual products. The product names must be the same as the product names that are in the Product column in the UpdateList.xls file. The UpdateList.xls file is located in the UpdateStore share. The product list is provided for your reference, but the file itself does not affect the scanning or deployment process in any way. The UpdateList.xls file does not include the Office, Visio, or Project updates.
     
     If you are creating a folder with a name that starts with a "." (period) character, you must create the folder from the command line. For example, you must type md .Net Framework 1.0. If you receive error message when you create the folder, you may have the command extensions turned off. To turn on the command extensions, type cmd e:on at a command prompt. After you create the folder, you can turn the command extensions off by typing cmd e:off at the command prompt.
   • For Office updates: Create subfolders that are named after the Microsoft Knowledge Base number. For example, for the Project 2002 update, you would use 831931. As soon as you have created the Microsoft Knowledge Base folders, create a subfolder under each Knowledge Base folder, and then name the subfolder 0 (zero). This folder is the folder where you must put the downloaded full-file update for the applicable Office product.
   • For the .NET Framework 1.1, Visual Studio .NET 2002, and Visual Studio .NET 2003: Create a folder for each product. Inside each product folder, create a subfolder that is named 0 (zero).
   • For products other than Office, .NET Framework 1.1, and Visual Studio .NET 2002 and 2003: Name the subfolders with the LCID of the update that you are installing. For example, you must use 1033 for English (United States) updates. For more information about Locale IDs, visit the following Microsoft Web site:

     http://www.microsoft.com/globaldev/reference/lcid-all.mspx

     .
   • Locale ID list
     The following is a list of languages and the corresponding Locale IDs that are supported by various updates that the tool can deploy:
     • 1033 English - United States
     • 1036 French - France
     • 1031 German - Germany
     • 1041 Japanese
     • 1040 Italian - Italy
     • 1034 Spanish - Spain
     • 1042 Korean
     • 1028 Chinese - Taiwan
     • 4100 Chinese - China
3. Download the updates.
   
   For updates that pertain to Office, Visio, and, Project, download each applicable full-file update from the links that are provided in the MS04-028 security bulletin. Put the full file updates in their respective folder. For example, for Project 2002 you would put the full-file update in the UpdateStore\Updates\Office\831031\0 folder.
   
   For non-Office updates, you can find the complete list of downloads that are available for this bulletin in the UpdateList.xls file. This file is located in the UpdateStore share. Put the downloaded executable file (.exe file) in the folder that is named after the LCID under the product folder. For example, for the Windows XP English update, put the executable file in the UpdateStore\Updates\Windows XP\1033 folder.

back to the top

Configure the UpdateInstall.ini file

The behavior of the MS04-028 Enterprise Update Scanning Tool is governed by the UpdateInstall.ini file. You can specify six parameters in this file. All these parameters are located under a [CommandLine] section heading. You can specify the following parameters:

• Share= \\ServerName\ShareName\Path
  This parameter specifies the location to which the tool will write its log files. For more information, see the Analyze the tool output section. Include the full path of the target folder.
• Store= \\ServerName\ShareName
  This parameter specifies the location of the product update files. If you use the tool to deploy updates, this is where we recommend that you build the deployment folder structure.
  
  Note The tool will look for an "Updates" folder in the share. Do not include the "Updates" folder in the path.
• Norestart= {True|False}
  When this parameter is set to True, the tool will not restart the computer after you install updates, even if one or more of the installed updates requires a restart to complete installation of the update. When this parameter is set to False, if the tool installs one or more product updates that require a restart for installation to complete, the tool will restart the computer to complete the installation of the updates. It is possible, however unlikely, that an update may not always install correctly yet may cause the tool to restart the computer. If this behavior occurs, the computer may continually restart. To correct the issue, set the NoRestart parameter to True. This will let the computer restart ordinarily and let you troubleshoot the problem.
  
  Note If Microsoft Producer is installed by the tool, a restart of the computer cannot be suppressed. To avoid unwanted restarts on computers that have Producer installed, do not copy the update for Producer to the UpdateStore file share. Instead, manually update computers where Producer is installed.
• Debug=
  Leave this parameter blank unless instructed otherwise by Microsoft Product Support Services.
• Authorized=
  This parameter is a list of Office updates that the tool will report as missing if they are not present on the computer. If this parameter is left blank, the tool will report on all Office updates.
• ScanInterval=
  This parameter determines the number of days that the tool will wait to rescan a computer that it has determined needs no updates. This parameter is valuable for deploying the tool through a logon script or a computer startup script. Instead of running at every logon or startup, the tool will first test whether it determined that no updates were needed on its last run. If no updates were needed, the tool will only perform another scan if more than ScanInterval days have elapsed. In this manner, the tool can provide updates for products that are installed on a computer after the tool has been deployed. However, the tool does not create excessive output logs. The tool stores the date that it last ran and determined the computer needed no updates in the following registry value:

  HKEY_LOCAL_computer\Software\Microsoft\Updates\UpdateScan\LastRun

  The tool only examines the ScanInterval parameter if it has previously determined that all applicable updates were installed on a computer. If one or more updates are missing, the tool will scan and deploy updates, as applicable, on its next run regardless of what the value of the ScanInterval parameter is.
  
  If you want to perform a scan every time that the tool is run, set this parameter to 0 (zero).
  
  If you want the tool to install all applicable updates and then never run again, set this parameter to an arbitrarily large number like 9999.
  
  

  If you want to rescan a single computer before ScanInterval days have elapsed, delete the HKEY_LOCAL_computer\Software\Microsoft\Updates\UpdateScan\LastRun registry value before you rescan the computer. If you want to rescan all the computers that are in your environment, set this parameter to 0 (zero).

back to the top

Analyze the tool output

The MS04-028 Enterprise Update Scanning Tool produces output in two locations that you can use to analyze the results of scanning and detection. You can also consolidate these reports for analysis on an enterprise level.

The tool always reports output on the local computer, in the %windir%\system32\VPCache\UpdateScan folder. The output files are Result.txt, UpdateScan.log, Results.xml, and Result.csv. These files are overwritten every time that you run the tool.

The tool also writes output files to the file share that is specified in the Share parameter of the UpdateInstall.ini file. The output files are named ComputerName_Date.txt and ComputerName_Date.csv, where ComputerName is the NetBIOS name of the computer and Date is in the format yyyymmddhhmmss.

The .csv files are in Unicode format. To view these files in Excel, follow these steps:

1. Start Excel.
2. On the File menu, click Open.
3. In the Files of type list, click *.csv.
4. Click the file that you want to open, and then click Open.
5. The import wizard will guide you through opening the file.

Result.txt

This file is located in the VPCache\UpdateScan folder on the computer on which the scan was run. The Result.txt file is a human-readable file that logs the progress of the execution of the tool, lists software updates that the tool has determined were missing from the computer, and lists the updates that the tool applied or tried to apply to the computer. This file is useful for manually reviewing the execution of the tool.

Note The tool will only run on currently supported Microsoft operating systems. If you run the tool on an unsupported operating system, you will receive the following message:

If you receive this message, it means that one of the following conditions is true:

• The tool is being run on an unsupported operating system.
• No non-Office products are installed that are vulnerable to the MS04-028 vulnerability.

You must manually verify that the tool is running on a supported operating system. That is, you must verify that the combination of operating system and operating system service pack is supported. If the detection tool determines that no updates are required on the system, the following text will be in the Result.txt file:

no missing updates detected

This text indicates that the operating system and all applicable applications are correctly updated.

The Result.txt file contains information about all products that are detected and updated by the tool.

UpdateScan.log

This file is located in the VPCache\UpdateScan folder on the computer where the scan was run. The UpdateScan.log file is primarily a debug log file of the execution of the tool. It is not practical for most users to use this file to capture useful information about the execution of the tool.

Results.xml

This file is located in the VPCache\UpdateScan folder on the computer where the scan was run. You can use the Results.xml file to aggregate data about non-Office updates across an enterprise. In particular, the "Status" field indicates whether a particular update is Applicable or Installed.

The XML file will not contain any data that is relevant to Office updates. For more information about Office updates, review the OfficeUpdate.MOF file in the NSHC folder.

OfficeUpdate.MOF

This file is located in the VPCache\UpdateScan\NSHC folder. The OfficeUpdate.MOF file lists the results from the Office Detection Tool. It complements the output in the Results.xml file.

Result.csv

This file is located in the VPCache\UpdateScan folder on the computer where the scan was run. The Result.csv file is a comma-delimited text file that you can use to aggregate data across an enterprise. It contains a header line that indicates the order of fields in the file, and one line for each affected product that was detected during the scan.

The following table describes the fields that are in the file:

The Result.csv file contains information about all products that are detected and updated by the tool.

The Status field indicates whether a required update is present. A status of "Applicable" indicates that the tool has detected a product with the MS04-028 vulnerability that has not been updated. A status of "Installed" indicates that the update is on the computer.

If updates are required on a computer, the tool will show a status of "Applicable" for each vulnerable product. Then, it will start the appropriate update installer. To verify that the updates were successfully installed, you must run the tool again and then verify that the status for all products is "Installed."

Note Microsoft may add fields to the .csv file in the future. But Microsoft will not change the order or the format of existing fields that are documented in this article.

ComputerName_Date.txt

This file is saved to the Results file share that is specified in the UpdateInstall.ini file. The ComputerName_Date.txt file is a copy of the Result.txt file that is saved to the local computer.

ComputerName_Date.csv

This file is saved to the Results file share that is specified in the UpdateInstall.ini file. The ComputerName_Date.csv file is a copy of the Result.csv file that is saved to the local computer.

back to the top

Consolidate data from multiple computers

Enterprise customers may want to consolidate the output data from multiple computers into an easy to read report, a database, or another format for purposes of reporting or compliance checking. Because of diverse customer requirements, Microsoft has not provided a centralized reporting solution with the tool. However, the .csv files that are saved to a centralized file share were designed to make such centralized reporting possible.

back to the top

Uninstall the tool

To uninstall the tool from client computers, delete the %windir%\system32\VPCache\UpdateScan folder.

back to the top

Limitations

• You must run the MS04-028 Enterprise Update Scanning Tool under the Administrator or System context.
• This tool has been tested on Windows 2000 and later operating systems with supported service packs only. When the tool is run in an unsupported operating system configuration such as Windows 2000 Service Pack 2 (SP2), you receive the following message:

  No checks apply to this system

• This tool performs local scans only.
• If you have used the administrative installation point to deploy Office products, you must continue to use that method of deployment. However, you can use this tool to obtain a scanning report.
• This tool does not provide detection for third-party applications that may be using a vulnerable version of the GDI+ component. For more information, see the MS04-028 security bulletin.
• Any modification or customization of the tool is not permitted under the End User License Agreement (EULA).
• Microsoft only supports the MS04-028 Enterprise Update Scanning Tool by executing the Updateinstall.vbs script. Any other entry point into the tool is unsupported.
• To run the tool on Windows NT 4.0 Server-based computers, you must have the following components installed on the computer. If these components are not present, the tool will not run correctly, and no output reports will be generated:
  • Windows Script Host (WSH). To download the WSH, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=01592C48-207D-4BE1-8A76-1C4099D7BBB9&displaylang=en

  • Windows Management Instrumentation (WMI). To download WMI, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=c174cfb1-ef67-471d-9277-4c2b1014a31e&DisplayLang=en

  • Windows Installer 2.0. To download Windows Installer 2.0, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=4b6140f9-2d36-4977-8fa1-6f8a0f5dca8f&DisplayLang=en

• In certain circumstances, you may be prompted for the source location of Office files during detection. If this behavior occurs, make sure that Windows Installer 2.0 is installed on the computer. Windows Installer 2.0 is required for the Office updates according to the MS04-028 security bulletin.
• The tool has only been tested on supported operating systems with supported versions of affected products. The tool may report inaccurate information or may not report information about unsupported products. For more information about supported product versions, see the following Microsoft Web sites:

  Windows Life-Cycle Policy
  http://www.microsoft.com/windows/lifecycle/default.mspx
  
  Product Lifecycle Dates - Windows Product Family
  http://support.microsoft.com/gp/lifeselect

• The tool requires MSXML (Microsoft XML Parser) 3.0 to be present on any computer on which it is run. MSXML 3.0 is installed by Internet Explorer 6 and Internet Explorer 6 SP1. MSXML 3.0 is also part of Windows Server 2003. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

  269238 Version list for the Microsoft XML parser

• The tool requires Internet Explorer 6 or Internet Explorer 6 SP1. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

  328548 How to obtain the latest service pack for Internet Explorer 6

back to the top

Frequently asked questions

Q1: Why does my Result.txt report say "No checks apply to this system" but still indicates that Office updates are required?

A1: The Enterprise Update Scanning Tool internally is made up of two parts. One part scans the operating system and non-Office applications, and the second part performs a scan of Office applications. This message indicates that the non-Office scanner did not find any updates that must be applied to the computer.

This message does not necessarily mean that no updates are required. The computer may have an operating system that is not vulnerable yet Office products that are vulnerable may be installed on the computer. In this case, you will see indications in the Result.txt from the Office scan that updates are required.

You may also receive this message if you are running the tool on an unsupported platform. That is, the combination of operating system and service pack is not supported. The tool will only perform the non-Office scan on a supported platform.

Important You must verify that you are running a supported platform if you receive this message. You may have vulnerable products installed that are not updated by the tool if you are running an operating system that is not supported by the tool.

Q2: I have Visual Studio .NET 2003 installed on Windows XP SP1. Why does the tool only detect the operating system update for MS04-028 on my computer and not the Visual Studio .NET update?

A2: If you are running Windows XP or Windows Server 2003, you only have to install the updates for the operating system and Office products. You do not have to install the updates for other Microsoft products. These products use the version of GDI+ that is supplied by the operating system. However, if you have deployed third-party applications that use GDI+, see the software vendor for more guidance.

Q3: I have deployed internally developed applications that use GDI+. Will the tool update these applications?

A3: No. The tool will only detect and update Microsoft products. If you have third-party applications that use GDI+, these applications may be vulnerable. For more information about how to make sure that non-Microsoft products are correctly updated to help protect against this vulnerability, visit the following Microsoft Developer Network (MSDN) Web site:

Q4: How do I verify that all updates have been applied to a computer?

A4: After you run the tool and the tool installs updates, run the tool again to verify the installation of updates. The Result.txt file should indicate "No missing updates detected" when all applicable updates have been successfully installed on the computer.

Note If any updates require a restart of the computer, the tool will only detect these updates as being installed after the restart is performed.

Alternatively, you may examine the .csv file. If the .csv file shows no updates with a status of "Applicable," and if the platform is a supported platform, the computer is fully updated. A .csv file with only a header row does meet the criteria of a .csv file that shows no updates with a status of "Applicable."

Q5: The tool is producing no output. What is happening?

A5: Make sure that the client computer meets all the prerequisites that are listed in the Limitations section.

Q6: One or more updates is not being applied and I receive a 1603 error in the Result.txt file. What does this mean?

A6: The most common cause of a 1603 error is that the installer cannot find the original install source of the affected application. Under some circumstances, the original installation media is required. If you deployed one of these applications from a file share on your network, make sure that the client computer can access the original file share and that the original file share has the original installation files.

back to the top