Saturday, November 1, 2008

Poor Mans Patching with PSExec & Powershell

With the release of such a critical patch as MS08-067 it seems that us "patchers" are up against it. Well this post is just really to detail an alternative method of deploying patches using PSExec and PowerShell.


  • PSExec
  • PowerShell (with Quest AD Cmdlets installed)

1. OK, so first you need to create a share that all the servers can see. Once done download the patch (or patches) and copy them to the share.

2. Now you need a list of all your servers if you dont have one. I would use PowerShell for this.

get-qadobject -sizelimit 0 -type computer | where {$_.osname -match "server"} | select name > c:\servers.txt

Tidy up the text file by removing the header field (Name) manually.

3. Now use PSExec to deploy the patch from the share to the servers listed in the file.

psexec @serverlist.txt -c "\\File-Server\SecurityPatches$\MS08-067.exe /quiet /norestart /overwriteoem"

If you have many patches to install you could place the line above into a batch file and simply change the name of the patch on each line.

4. Use PowerShell to reboot all the server in the list if required. The following PowerShell one-liner will do that.

gc c:\servers.txt | ForEach-Object { gwmi win32_operatingsystem -ComputerName $_ | ForEach-Object { $_.reboot() }}

5. Finally, Use PowerShell to check that the patches have been deployed successfully. The following script will prompt you for your server list file and the HotFix ID you want to check for.

function Get-HotFix($server,$hotFixID) {
$results = gwmi win32_quickfixengineering -computer $_ -filter "HotFixID='$hotFixID'"
if ($results) {
$results | select CSName,HotFixID,@{n="Installed";e={"Yes"}}
} else {
$results = "" | select CSName,HotFixID,Installed
gc (Read-Host "Please provide path to server list file") | Get-HotFix -hotFixID (Read-Host "Hotfix ID") | ft -auto

Or you could use WSUS or SMS I guess.


Anonymous said...

Can you explain psexec uses in a post?

sc (service controller) would be a nice topic too

SynJunkie said...

Thanks for leaving a comment. I'll see if I can come up with a few interesting uses ang blog it.

Anonymous said...

This is a GREAT post! - thanks!

Josh said...

According to the psexec help, it says passwords are passed in the clear, however it says if -u is not specified, current logged-in creds will be used, but this is done using impersonation, if I recall that means a security token is passed, but not the actual password right? Can't the token also be use nefariously?

SynJunkie said...


i think your right and passwords are in clear. I'll have to earmark this for a future post after my citrix series.

Let me know if you find out anything further though.