Microsoft Network Security Hotfix Checker

[myles]

The Hfnetchk tool is a command-line tool that you can use to assess a computer or selected group of computers for the presence or absence of security patches. You can use Hfnetchk to assess patch status for the Windows NT 4.0 and Windows 2000 operating systems, as well as hotfixes for IIS 4.0, IIS 5.0, SQL Server 7.0, and SQL Server 2000 (including MSDE), and Internet Explorer 5.01 or later.

The Hfnetchk tool uses an Extensible Markup Language (XML) file that contains information about which hotfixes are available for which products. The XML file contains security bulletin name and title, and detailed data about product-specific security hotfixes, including: files in each hotfix package and their file versions and checksums, registry keys that were applied by the hotfix installation package, information about which patches supersede which other patches, related Microsoft Knowledge Base article numbers, and much more.

When you run the Hfnetchk tool for the first time from a command line (without any switches), the tool must obtain a copy of this XML file so that the tool can find the hotfixes that are available for each product. The XML file is available on the Microsoft Download Center Web site in compressed form. The file is a digitally signed .cab file. Hfnetchk downloads the .cab file, verifies the signature, and then decompresses the .cab file to your local computer. Note that a .cab file is a compressed file that is similar to a .zip file.

After the .cab file is decompressed, Hfnetchk scans your computer (or the selected computers) to determine the operating system, service packs, and programs that you are running. Hfnetchk then parses the XML file and identifies security patches that are available for your combination of installed software.

For Hfnetchk to determine if a specific patch is installed on a given computer, three items are evaluated: the registry key that is installed by the patch, the file version, and the checksum for each file that is installed by the patch.

In the default configuration, Hfnetchk compares file details and registry keys from the resulting XML subset to the files and registry details on the computer that is being scanned. If any of the file or registry key details on the computer do not match the information that is stored in the XML file, the associated security patch is identified as not installed ("Patch NOT Found") and the results are displayed on the screen. The specific Microsoft Knowledge Base article number that relates to the patch is also displayed on the screen. If the XML file does not contain enough information to check for the program of a patch (or for a specified countermeasure), you may receive a warning message. For additional information about error messages and warning messages, click the article number below to view the article in the Microsoft Knowledge Base:

Q305385 Frequently Asked Questions about the Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool

Hfnetchk first examines the computer to determine if the registry key that is associated with the patch exists. If the registry key does not exist, the patch is considered not installed (see the Usage Syntax section below about the -z switch that disables checking for registry keys). If the registry key does exist, Hfnetchk searches for the related files on the computer and compares the file version and checksum from the XML file to the file version and checksum of the files on the computer. If any of the file tests do not work, the hotfix is listed as "Patch NOT Found".Microsoft Network Security Hotfix Checker